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may  not  even  know  the  identities  of  the  data  recipients,  but  deems  it  crucial  that  they 
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faces  the  challenge  of  (1)  securely  associating  access  policies  with  data  and  enforcing 
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tographically  and  eliminate  trusted  mediators.  We  motivate  the  need  for  flexi¬ 
ble  attribute  organization  within  user  keys  for  efficient  support  of  many  practical 
applications.  We  then  propose  Ciphertext-Policy  Attribute-Set  Based  Encryption 
(CP-ASBE)  which  is  the  Erst  CP-ABE  scheme  to  (1)  efficiently  support  naturally 
occurring  compound  attributes,  (2)  support  multiple  numerical  assignments  for  a 
given  attribute  in  a  single  key  and  (3)  provide  efficient  key  management.  While  the 
CP-ASBE  scheme  minimizes  reliance  on  trusted  mediators,  it  can  support  neither 
context-based  policies  nor  policy  privacy.  In  the  second  part  of  this  dissertation, 
we  propose  Policy  Based  Encryption  System  (PBES),  which  employs  mediated  de¬ 
cryption  and  supports  both  context-based  policies  and  policy  privacy.  Finally,  we 
integrate  the  proposed  schemes  into  practical  applications  (i.e.,  CP-ASBE  scheme 
with  Attribute-Based  Messaging  (ABM)  and  PBES  scheme  with  a  conditional  data 
sharing  application  in  the  Power  Grid)  and  demonstrate  their  usefulness  in  practice. 
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Chapter  1 


Introduction 

In  distributed  systems  users  often  need  to  share  sensitive  data  with  other  users 
based  on  the  latter’s  ability  to  satisfy  various  policies.  In  many  cases  the  data  owner 
may  not  even  know  the  identities  of  the  data  recipients,  but  deems  it  crucial  that 
they  are  legitimate;  i.e.,  satisfy  the  policy.  For  example,  consider  a  health  care  set¬ 
ting  where  an  employee  of  a  drug  company  is  trying  to  target  a  message  regarding 
the  predicted  side  effects  of  a  new  drug  to  all  patients  at  participating  hospitals, 
who  have  a  certain  medical  condition  and  have  indicated  a  willingness  to  partici¬ 
pate  in  clinical  trials  at  their  discretion.  The  drug  company  considers  the  potential 
side  effects  of  the  new  drug  private  data  and  thus  would  like  to  keep  the  message 
confidential  from  anyone  who  does  not  satisfy  the  conditions  above.  However  the 
drug  company  and  thus  the  employee  are  not  allowed  to  know  the  identity  of  pa¬ 
tients  until  they  actually  sign  up  for  the  trial.  This  example  also  illustrates  the 
expressiveness  and  flexibility  that  needs  to  be  provided  for  such  policies. 

Enabling  such  data  sharing  over  the  Internet  faces  the  challenge  of  (1)  securely 
associating  access  policies  with  data  and  enforcing  them,  and  (2)  protecting  data 
as  it  traverses  untrusted  proxies  and  intermediate  repositories.  Furthermore,  it  is 
desirable  to  achieve  properties  such  as:  (1)  flexibility  of  access  policies;  (2)  privacy 
of  sensitive  access  policies;  (3)  minimal  reliance  on  trusted  third  parties;  and  (4) 
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efficiency  of  access  policy  enforcement.  Often  schemes  enabling  controlled  data 
sharing  need  to  trade  one  property  for  another.  In  this  dissertation,  we  (1)  propose 
two  complimentary  policy-based  data  sharing  schemes  that  achieve  different  subsets 
of  the  above  desired  properties,  (2)  formally  analyze  their  security,  and  (3)  and 
study  their  application  to  real  systems.  The  first  scheme  addresses  the  problem  of 
policy-based  data  sharing  when  there  are  no  trusted  mediating  servers  to  enforce 
policies.  In  this  case,  while  we  minimize  reliance  on  trusted  third  parties,  we  do 
not  address  policy  privacy  and  limit  ourselves  to  policies  that  do  not  use  contextual 
information.  The  second  scheme  addresses  the  problem  of  policy-based  data  sharing 
when  context-based  policies,  that  is,  policies  that  use  context  information,  need  to 
be  supported  and  when  privacy  of  policies  needs  to  be  protected.  However,  in  this 
case  we  leverage  a  trusted  server  to  enforce  policies  and  incur  some  trust  liability. 
We  integrate  the  proposed  schemes  into  two  practical  applications,  the  first  scheme 
with  Attribute-Based  Messaging  (ABM)  and  the  second  scheme  with  a  conditional 
data  sharing  application  in  the  Power  Grid,  and  demonstrate  their  usefulness  in 
practice. 

The  rest  of  this  chapter  is  organized  as  follows.  In  Section  1.1  we  present  the 
problem  of  enabling  policy  based  data  sharing  without  a  mediating  server  to  enforce 
policies.  In  Section  4.4  we  present  the  problem  of  enabling  policy  based  data  sharing 
that  supports  context-based  policies  and  provides  policy  privacy.  In  Section  1.3  we 
present  the  applications  with  which  we  integrate  the  schemes  proposed  in  this  work. 
In  Section  1.4  we  present  our  contributions  and  in  Section  1.5  we  give  an  outline  for 
the  remaining  part  of  this  dissertation. 
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1.1  Policy-Based  Data  Sharing  Without  a  Mediating  Server 

In  some  applications,  a  data  owner  may  want  to  share  data  with  other  users 
based  on  the  latter’s  ability  to  satisfy  various  policies  but  my  not  have  access  to  or 
may  not  be  wiling  to  trust  a  server  to  enforce  the  access  policies  associated  with  his 
data.  For  example,  consider  users  of  social  networking  sites  such  as  Facebook,  who 
do  not  have  access  to  trusted  mechanisms  that  protect  their  private  data  at  sufficient 
level  of  granularity.  Another  example  is  of  a  data  owner  who  outsources  data  storage 
to  a  third  party  such  as  a  cloud  provider  but  is  not  willing  to  trust  the  provider  with 
the  content  or  to  enforce  his  policies.  In  such  situations,  a  typical  solution  is  for  the 
data  owner  to  place  encrypted  data  at  a  publicly  accessible  place,  for  example,  the 
social  networking  site,  and  distribute  the  decryption  keys  to  legitimate  users.  This 
requires  that  the  data  owner  establish  a  secure  channel  with  every  user  he  wishes 
to  share  a  given  data  item  with.  However,  this  is  not  always  possible,  as  the  data 
owner  may  not  even  know  the  identity  of  users  that  satisfy  the  policies  associated 
with  his  data  as  illustrated  by  the  health  care  example  discussed  above. 

Attribute-Based  Encryption  (ABE)  [63,  37,  10,  23,  56,  24,  55,  36,  43,  49]  is 
a  new  public-key  encryption  paradigm  that  provides  an  appealing  alternative  in 
the  above  scenarios.  ABE  enables  policy-based  data  sharing  by  associating  and  en¬ 
forcing  access  policies  cryptographically,  eliminating  the  need  for  trusted  mediating 
servers  to  enforce  the  policies.  Existing  ABE  schemes  come  in  two  complimentary 
forms,  namely,  Key-Policy  ABE  (KP-ABE)  or  Predicate  encryption  schemes  [63,  37, 
23,  56,  43]  and  Ciphertext-Policy  ABE  (CP-ABE)  schemes  [10,  24,  55,  36,  49].  In 
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KP-ABE  or  Predicate  encryption  schemes,  as  the  name  indicates,  attribute  policies 
(predicates)  are  associated  with  keys  and  data  is  annotated  with  attributes.  Users 
are  able  to  decrypt  a  ciphertext  only  if  the  attributes  associated  with  it  satisfy  the 
predicate  associated  with  their  key.  In  CP-ABE  schemes  on  the  other  hand,  at¬ 
tribute  policies  are  associated  with  data  and  attributes  are  associated  with  keys. 
Users  are  able  to  decrypt  a  ciphertext  only  if  the  attributes  associated  with  their 
keys  satisfy  the  policy  associated  with  the  ciphertext.  In  ABE  schemes  a  trusted 
entity  distributes  attribute  or  predicate  keys  to  users.  Data  owners  encrypt  their 
data  using  the  public  parameters  provided  by  the  trusted  entity  and  attributes  or 
an  attribute  policy  and  can  make  the  encrypted  data  public.  ABE  schemes  thus 
provide  encrypt-and-publish  semantics  and  minimize  reliance  on  trusted  third  par¬ 
ties.  CP-ABE  is  more  intuitive  as  it  is  similar  to  traditional  access  control  model 
where  data  is  protected  with  access  policies  and  users  with  credentials  satisfying 
the  policy  are  allowed  access  to  the  data.  While  a  lot  of  the  research  effort  in 
designing  CP-ABE  schemes  has  been  devoted  to:  (1)  improving  expressiveness  of 
policies  supported  and  (2)  providing  privacy  of  policies,  little  attention  has  been 
paid  to  the  organization  of  attributes  within  user  keys.  In  this  work,  we  motivate 
the  need  for  flexible  attribute  organization  within  user  keys  of  CP-ABE  schemes 
for  efficient  support  of  many  practical  applications  and  propose  Ciphertext-Policy 
Attribute  Set  Based  Encryption  (CP-ASBE)  scheme,  the  first  CP-ABE  scheme  to 
organizes  attributes  within  user  keys. 
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1.2  Data  Sharing  Based  on  Private,  Context-Sensitive  Policies 

In  some  applications,  data  sharing  is  based  on  policies  that  include  contextual 
information.  For  an  example,  consider  the  Electric  Power  Grid  where  power  system 
operators  need  to  cooperate  with  each  other  to  operate  the  grid  safely  and  reliably 
but  they  also  compete  with  each  other  as  business  entities.  A  utility  company,  say 
A,  might  be  willing  to  share  sensitive  sensor  data  from  its  electrical  network  with 
neighboring  utility  companies  only  when  there  is  a  frequency  or  voltage  disturbance 
in  the  regional  grid  that  adversely  affects  them  but  not  under  normal  circumstances. 
While  CP-ABE  is  a  very  useful  encryption  paradigm,  existing  CP-ABE  schemes, 
including  the  one  proposed  in  the  first  part  of  this  dissertation,  and  ABE  schemes 
in  general,  cannot  efficiently  support  policies  with  contextual  information,  especially, 
when  the  context  could  be  ephemeral  as  in  the  above  example.  This  is  because,  for 
CP-ABE  schemes  to  take  contextual  information  into  account,  it  should  be  made 
available  in  the  user  keys.  But  given  that  (1)  contextual  information  is  usually 
short  lived,  (2)  key  generation  is  very  expensive  in  existing  CP-ABE  schemes,  and 
(3)  existing  CP-ABE  schemes  lack  revocation  mechanisms,  supporting  context-based 
policies  in  CP-ABE  schemes  is  currently  infeasible.  In  this  work,  we  propose  Policy 
Based  Encryption  System  (PBES),  an  encryption  scheme  and  system  that  supports 
context-sensitive  policies  and  policy  privacy  by  employing  mediated  decryption  while 
retaining  the  encrypt-and-publish  semantics  that  CP-ABE  schemes  provide. 
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1.3  Applications 


1.3.1  Attribute-Based  Messaging 

Attribute  Based  Messaging  (ABM)  enables  messages  to  be  addressed  using  at¬ 
tributes  of  recipients  rather  than  an  explicit  list  of  recipients.  Such  messaging  offers 
benefits  of  efficiency,  exclusiveness,  and  intensionality,  but  faces  challenges  in  access 
control  and  confidentiality.  In  [12]  we  employed  Attribute-Based  Access  Control 
(ABAC)  to  provide  a  manageable  access  control  mechanism  and  presented  an  ABM 
architecture  leveraging  existing  messaging  systems.  However  providing  end-to-end 
confidentiality  remained  a  challenge  given  that  a  message  sender  may  not  know  who 
the  legitimate  recipients  of  his  messages  are.  In  this  work  we  demonstrate  use  of 
Ciphertex-Policy  Attribute  Based  Encryption  to  provide  end-to-end  confidential¬ 
ity.  We  integrate  our  CP-ASBE  scheme  with  ABM  architecture  and  show  that  our 
scheme  incurs  very  little  overhead  over  an  existing  efficient  CP-ABE  scheme  while 
providing  much  more  flexibility. 

1.3.2  Conditional  Sharing  of  Phasor  Measurement  Unit  (PMU)  Data 
in  the  Power  Grid 

Increasing  power  consumption  and  major  recent  events  such  as  the  August 
2003  blackout  [73]  means  the  power  system  operators  are  compelled  to  improve 
the  reliability  of  the  grid  through  wide  area  situational  awareness,  monitoring  and 
control.  Phasor  Measurement  Units  (PMUs),  envisioned  to  be  deployed  across  the 
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grid,  have  the  potential  to  provide  wide  area  situational  awareness  when  their  data  is 
shared  among  operators.  In  deregulated  grids  worldwide  and  in  the  North  American 
grid  in  particular,  utilities  share  sensitive  data  with  their  local  Reliability  Coordi¬ 
nators  (RCs)  as  required  by  regulatory  laws.  However  as  shown  by  the  example 
in  Section  4.4  above,  they  might  not  be  comfortable  disclosing  sensitive  PMU  data 
with  other  entities  except  under  certain  conditions  including  transient  conditions  in 
the  grid  at  the  time  of  access.  In  this  work,  through  a  prototype  implementation 
and  integration,  we  show  that  PBES  scheme  can  meet  the  requirements  of  most 
applications  that  depend  on  shared  PMU  data. 

1.4  Contributions 

In  this  dissertation  we  make  the  following  contributions: 

1.  We  motivate  the  need  for  flexible  organization  of  attributes  within  user  keys  of 
CP-ABE  schemes  for  efficient  support  of  many  practical  applications.  We  pro¬ 
pose  Ciphertext-Policy  Attribute-Set  Based  Encryption  (CP-ASBE),  a  novel 
CP-ABE  scheme  that  organizes  attributes  within  user  keys.  We  show  that, 
by  organizing  attributes  in  user  keys  into  recursive  sets  and  allowing  policies 
to  impose  dynamic  constraints  on  how  the  attributes  within  a  key  may  be 
combined  to  satisfy  a  policy,  we  can  (1)  efficiently  support  naturally  occur¬ 
ring  compound  attributes,  (2)  support  multiple  numerical  assignments  for  a 
given  attribute  in  a  single  key,  and  (3)  provide  efficient  key  management.  We 
formally  prove  that  the  CP-ASBE  scheme  is  secure  against  chosen  plaintext 
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attacks  (CPA)  in  the  generic  group  model.  We  provide  a  library  implementa¬ 
tion  of  the  scheme  that  is  easy  to  integrate  with  applications. 

2.  We  study  the  application  of  CP-ASBE,  and  CP-ABE  in  general,  to  a  novel 
messaging  paradigm  the  we  proposed  [12],  namely,  Attribute-Based  Messaging 
(ABM).  By  integrating  CP-ASBE  with  ABM  architecture  and  evaluating  it 
we  show  that  CP-ASBE  incurs  very  little  overhead  over  an  existing  efficient 
CP-ABE  scheme  while  providing  much  more  flexibility. 

3.  We  develop  Policy  and  Key  Encapsulation  Mechanism  Data  Encapsulation 
Mechanism  (PKEM-DEM)  encryption  scheme,  which  is  a  generic  construc¬ 
tion  to  securely  associate  and  encapsulate  policies  and  data.  We  present  Pol¬ 
icy  Based  Encryption  System  (PBES)  that  uses  the  PKEM-DEM  scheme  and 
leverages  a  trusted  server  for  mediated  decryption.  We  show  that  PBES, 

(1)  supports  flexible  and  expressive  policies,  including  context-based  policies, 

(2)  provides  policy  privacy,  and  (3)  provides  encrypt-and-publish  semantics. 
In  addition  to  the  security  notions  of  message  indistinguishability  and  policy 
indistinguishability,  we  define  a  new  security  notion  of  pair-wise  indisting¬ 
uishability  for  PBES  where  adversaries  need  to  distinguish  between  pairs  of 
messages  and  policies.  We  show  that  PBES  satisfies  the  above  security  notions 
in  the  chosen  ciphertext  attack  model. 

4.  We  study  the  application  of  PBES  to  a  real  world  problem,  namely,  condi¬ 
tional  Phasor  Measurement  Unit  data  sharing  in  the  Power  Grid  that  calls  for 
increased  data  sharing  when  the  grid  is  unstable.  Through  prototype  implc- 


mentation  and  evaluation  we  show  that  PBES  is  efficient  enough  to  support 
most  power  applications  that  depend  on  shared  sensor  data. 

1.5  Dissertation  Organization 

The  remaining  part  of  this  dissertation  is  organized  as  follows.  In  Chapter 
2  we  review  the  related  work  and  provide  a  context  for  the  contributions  of  this 
dissertation.  In  Chapter  3  we  discuss  the  problem  of  enabling  policy  based  data 
sharing  without  relying  on  a  mediating  server  to  enforce  policies.  In  Chapter  4  we 
discuss  the  problem  of  enabling  data  sharing  based  on  context  sensitive  policies  while 
preserving  the  privacy  of  those  policies.  In  Chapter  5  we  study  the  application  of  the 
schemes  proposed  in  Chapters  3  and  4  by  integrating  them  with  real  systems  and 
analyzing  their  performance.  We  discuss  future  directions  and  conclude  in  Chapter 
6. 
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Chapter  2 


Related  Work 

In  this  chapter  we  review  the  related  work  in  the  areas  of  policy-based  data 
sharing  without  mediating  servers  to  enforce  the  policy  and  data  sharing  based  on 
private,  context-sensitive  policies  and  present  our  contributions  in  the  context  of  the 
related  work. 

2.1  Policy-Based  Data  Sharing  Without  a  Mediating  Server 

Many  cryptography  mediated  data  sharing  schemes  fall  into  this  area  and  can 
be  grouped  into  two  classes,  namely,  data  sharing  between  two  parties  and  data 
sharing  between  multiple  parties.  Here  we  review  relevant  works  in  each  class  and 
contrast  them  with  our  work. 

2.1.1  Secure  Two-Party  Data  Sharing 

Traditional  hybrid  public-key  encryption  standardized  for  e-mail  in  PEM  [51], 
PGP  [76],  and  S/MIME  [59],  and  traditional  identity-based  encryption  [15]  enable 
two-party  data  sharing.  However,  they  require  the  sender  to  know  who  the  recipient 
is  at  the  time  of  sending  and  thus  can  be  considered  as  supporting  data  sharing 
based  on  a  singleton  policy  which  is  the  identity  of  the  recipient.  Policy-based 
cryptographic  schemes  proposed  in  [2,  8],  and  several  works  in  the  area  of  “hidden 
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policies  and  credentials”  [18,  33,  48]  enable  data  sharing  based  on  a  policy  but  focus 
on  two-party  interactions.  In  contrast  we  focus  on  multi-recipient  data  sharing  based 
on  flexible  policies. 

2.1.2  Secure  Multi-Party  Data  Sharing 

Secure  multi-party  data  sharing  is  considered  in  many  contexts.  Here  we  focus 
on  those  contexts  that  do  not  rely  on  mediating  servers  to  enforce  policy  including 
secure  group  communication,  secure  mailing  lists  and  policy-based  cryptography  and 
attribute-based  encryption.  In  secure  group  communication,  a  group  of  users  share 
a  secret-key  that  is  updated  whenever  the  group  membership  changes.  Any  member 
of  the  group  could  send  a  secure  message  to  the  group.  However,  in  secure  group 
communication  members  need  to  establish  a  shared  secret  key  before  communicat¬ 
ing.  Key  distribution  and  key  agreement  schemes  for  secure  group  communication 
include  [20,  58,  71,  74,  62,  44,  65,  40,  47,  13].  Furthermore,  secure  group  communi¬ 
cation  is  efficient  for  long  standing  data  sharing  associations  and  can  be  considered 
as  supporting  data  sharing  based  on  group  membership  attribute,  he.,  a  singleton 
attribute  policy. 

Secure  mailing  lists  [46,  45]  provide  confidentiality  for  messages  sent  on  mail¬ 
ing  lists  using  a  partially  trusted  list  server,  i.e.,  the  messages  contents  are  not 
revealed  to  the  list  server.  Similar  to  secure  group  communication  schemes  secure 
mailing  lists  are  efficient  for  long  standing  data  sharing  associations  and  can  be 
considered  as  supporting  data  sharing  based  on  mailing  list  membership  attribute, 
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i.e.,  a  singleton  attribute  policy.  In  contrast  in  our  work  we  focus  on  enabling  data 
sharing  based  on  flexible  and  expressive  policies. 

Attribute-Based  Encryption  is  the  most  closely  related  work  to  ours.  While 
the  concepts  and  ideas  related  to  Attribute-Based  Encryption  have  been  alluded  to 
in  literature  as  far  back  as  [15,  25]  Sahai  and  Waters  [63]  proposed  what  is  considered 
the  first  ABE  scheme.  Their  scheme  supported  policies  with  a  single  threshold  gate. 
Furthermore,  the  threshold  value  k ,  and  size  of  the  gate  n  used  in  a  policy,  are  fixed 
during  setup  in  their  Large  Universe  construction.  Pirretti  et  al,  [57]  showed  how 
to  overcome  this  limitation  of  fixed  k  and  n  and  demonstrated  the  use  of  threshold 
access  policies  for  two  applications.  Traynor  et  al,  [72]  further  demonstrated  its 
scalability  by  applying  it  to  massive  conditional  access  systems.  Goyal  et  al,  [37] 
first  defined  the  two  complimentary  forms  of  ABE,  namely,  KP-ABE  and  CP- ABE, 
and  provided  a  construction  for  a  KP-ABE1  scheme.  The  proposed  KP-ABE  scheme 
supported  all  monotonic  boolean  encryption  policies  and  was  later  extended  by 
Ostrovsky  et  al,  [56]  to  support  non- monotonic  boolean  formulas. 

Bethencourt  et  al,  [10]  gave  the  first  construction  for  a  CP-ABE  scheme.  Their 

construction  supported  all  monotonic  boolean  encryption  policies  and  the  security 

of  their  scheme  was  argued  in  the  generic  group  model.  Cheung  and  Newport  [24] 

gave  the  first  standard  model  construction  of  CP-ABE  scheme.  While  their  scheme 

supported  both  positive  and  negative  attributes  it  was  limited  to  policies  with  single 

AND  gates.  Nishide  et  al,  [55]  extended  the  scheme  in  [24]  to  support  policy  secrecy. 

Goyal  et  al  gave  the  Erst  standard  model  construction  of  CP-ABE  scheme  that 
1The  scheme  proposed  in  [63]  can  in  retrospect  be  viewed  as  a  KP-ABE  scheme. 
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could  support  flexible  policies  [36].  Their  scheme  can  realize  all  non-monotonic 
boolean  formulas.  However,  since  it  is  constructed  using  a  KP-ABE  scheme  of  [37], 
it  is  inefficient  and  has  bounded  ciphertext,  he.,  the  size  of  supported  policies  is  fixed 
at  setup.  Katz  et  al.  proposed  a  KP-ABE  scheme  in  [43]  that  can  support  flexible 
policies  and  achieve  policy  secrecy.  This  scheme  can  be  used  to  realize  CP-ABE 
schemes  but  such  schemes  have  a  bounded  ciphertext.  Most  of  the  past  work  on  CP- 
ABE  schemes  and  ABE  schemes  in  general,  which  enable  policy-based  data  sharing 
without  a  trusted  mediator,  is  focused  on  improving  the  expressibility  of  encryption 
policies  and  providing  policy  privacy.  In  contrast  ours  is  the  first  work  to  consider 
the  organization  of  attributes  within  user  keys  which  we  demonstrate  is  necessary  in 
practical  applications.  Our  CP-ASBE  scheme  is  the  first  to  organize  user  attributes 
in  keys  and  allow  users  to  impose  dynamic  constraints  on  how  attributes  can  be 
combined  to  satisfy  policies,  allowing  our  scheme  more  flexibility  and  efficiency  in 
practice. 

Support  for  numerical  attributes  in  CP-ABE  schemes  was  first  discussed  in  [10]. 
While  the  technique  may  be  applicable  to  other  schemes  none  of  the  existing  CP- 
ABE  schemes  can  support  multiple  value  assignments  for  a  given  numerical  attribute 
within  a  single  key.  Our  CP-ASBE  scheme  is  the  first  scheme  to  do  so  allowing  it 
to  support  applications  where  such  attribute  assignments  are  needed  without  sacri¬ 
ficing  flexibility  of  range  queries  (be.,  numerical  comparisons)  in  policies  for  those 
attributes. 

Policy-based  cryptography  scheme  proposed  in  [7]  enables  data  sharing  based 
on  flexible  policies  but  is  vulnerable  to  collusion  attacks.  That  is,  users  who  do  not 
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individually  satisfy  the  policy  associated  with  a  given  cipher-text  may  still  be  able 
to  decrypt  it  when  they  collude. 

2.2  Data  Sharing  Based  on  Private,  Context-Sensitive  Policies 

Our  work  in  this  area  touches  upon  topics  in  areas  of  policy/attribute  based 
encryption,  hidden  credentials  and  policies,  cryptographic  hie  systems  and  efficient 
and  effective  key  management,  ffere  we  review  relevant  works  in  each  of  these  areas 
and  contrast  them  with  our  work.  Some  of  these  works  are  reviewed  in  Section  2.1 
above  but  are  repeated  here  for  completeness. 

Identity  Based  Encryption  (IBE)  [16,  25]  schemes  and  messaging  systems  em¬ 
ploying  it  [52]  allow  the  association  of  a  flexible  policy  with  objects  and  support 
exchange  in  open  distributed  systems  but  do  not  keep  the  policy  secret  and  are 
designed  for  two-party  communication  where  the  sender  identifies  the  recipient  in 
the  encryption.  Similarly,  Policy-based  cryptographic  schemes  proposed  in  [2,  8] 
allow  the  association  of  a  flexible  policy  with  objects  and  support  exchange  in  open 
distributed  systems  but  do  not  keep  the  policy  secret  and  are  designed  for  two-party 
communication  where  the  sender  identifies  the  recipient  in  the  encryption.  Several 
works  in  the  area  of  “hidden  policies  and  credentials”  [19,  33,  48]  provide  message 
and  policy  secrecy  but  focus  on  two-party  interactions. 

Attribute  Based  Encryption  (ABE)  systems  such  as  Ciphertext-Policy  ABE 
(CP-ABE)  [10,  24,  36,  49]  including  our  CP-ASBE  scheme  and  cryptographic  hie  sys¬ 
tem  FSGuard  [69]  allow  the  association  of  flexible  policies  with  objects  for  multiple 
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recipients  defined  by  those  policies  and  support  exchange  in  open  distributed  sys¬ 
tems  but  do  not  provide  policy  secrecy  and  cannot  support  context-based  policies. 
Recent  work  by  [55]  extends  CP-ABE  to  support  policy  secrecy  but  significantly 
limits  it’s  policy  flexibility  and  does  not  support  context-based  policies.  Predicate 
Encryption  scheme  proposed  in  [43]  also  allows  the  association  of  flexible  policies 
with  objects  for  multiple  recipients  defined  by  those  policies,  supports  exchange  in 
open  distributed  systems  and  provides  policy  secrecy  but  does  not  support  context- 
based  policies.  PEAPOD  [42]  focuses  on  one-to-many  messaging  with  both  message 
and  policy  secrecy  but  does  not  provide  efficient  key  management  and  is  also  vul¬ 
nerable  to  collusion  attacks. 

Kapadia  et  al,  [42],  leverage  the  proxy  re-encryption  solution  of  [46]  and 
propose  an  attribute-based  publishing  scheme  that  allows  users  to  publish  data 
encrypted  under  an  attribute  policy  so  that  only  users  who  satisfy  the  policy  can 
decrypt  it  with  the  additional  property  that  the  policy  associated  with  the  cipher- 
text  remains  private.  However,  this  scheme  suffers  form  the  drawback  that  it  is 
susceptible  to  collusion. 

The  work  that  probably  comes  closest  to  ours  is  the  enterprise  object  encryp¬ 
tion  architecture  proposed  by  [32]  back  in  1994.  In  their  architecture  a  Key  Release 
Agent  releases  decryption  keys  to  users  after  authentication  in  a  manner  similar  to 
that  done  by  KDC  in  PBES.  However,  they  do  not  develop  a  secure  policy  based 
encryption  scheme  for  their  architecture. 
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Chapter  3 


Policy  Based  Data  Sharing  Without  a  Mediating  Server 

In  distributed  systems  users  need  to  share  sensitive  objects  with  others  users 
based  on  the  latter’s  ability  to  satisfy  a  policy.  I  some  cases  this  data  sharing 
needs  to  be  accomplished  without  relying  on  trusted  mediated  servers.  For  exam¬ 
ple,  users  of  many  social  networking  sites  such  as  Facebook,  do  not  have  access  to 
trusted  mechanisms  that  protect  their  private  data  at  sufficient  level  of  granularity. 
Attribute-Based  Encryption  (ABE)  ushers  in  a  new  paradigm  where  such  policies 
are  specified  and  cryptographically  enforced  in  the  encryption  algorithm  itself.  Ex¬ 
isting  ABE  schemes  come  in  two  complimentary  forms,  namely,  Key-Policy  ABE 
(KP-ABE)  schemes  and  Ciphertext-Policy  ABE  (CP-ABE)  schemes.  In  KP-ABE 
schemes  [37,  43,  56,  63],  as  the  name  indicates,  attribute  policies  are  associated 
with  keys  and  data  is  annotated  with  attributes.  Only  those  keys  associated  with 
a  policy  that  is  satisfied  by  the  attributes  annotating  the  data  are  able  to  decrypt 
the  data.  In  CP-ABE  schemes  [10,  24,  36,  55],  on  the  other  hand,  attribute  policies 
are  associated  with  data  and  attributes  are  associated  with  keys.  Only  those  keys 
whose  associated  attributes  satisfy  the  policy  associated  with  the  data  are  able  to 
decrypt  it. 

CP-ABE  is  more  intuitive  as  it  is  similar  to  traditional  access  control  model 
where  data  is  protected  with  access  policies  and  users  with  credentials  satisfying 
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the  policy  are  allowed  access  to  it.  Among  the  various  CP- ABE  schemes  proposed 
the  one  proposed  by  Bethencourt  et  al.  [10],  which  we  will  hereafter  refer  to  as 
BSW,  is  the  most  practical  to  date.  It  supports  arbitrary  strings  as  attributes, 
numerical  attributes  in  keys  and  integer  comparisons  in  policies  and  provides  a 
means  for  periodic  key  refreshment.  Furthermore,  the  authors  have  developed  a 
software  prototype  with  a  friendly  interface  for  integration  in  systems.  However, 
BSW  and  other  CP- ABE  schemes  are  still  far  from  being  able  to  support  the  needs 
of  practical  applications,  which  require  considerable  flexibility  in  specifying  policies 
and  managing  user  attributes  as  well  as  increased  efficiency.  This  is  in  part  due  to 
the  fact  that  keys  in  current  CP-ABE  schemes  can  only  support  user  attributes  that 
are  organized  logically  as  a  single  set;  i.e.,  users  can  use  all  possible  combinations 
of  attributes  issued  in  their  keys  to  satisfy  policies.  This,  we  observe,  imposes  some 
undesirable  restrictions  which  are  outlined  below. 

First,  this  makes  it  both  cumbersome  and  tedious  to  capture  naturally  occur¬ 
ring  “compound  attributes”,  i.e.,  attributes  build  intuitively  from  other  (singleton) 
attributes,  and  specifying  policies  using  those  attributes.  For  example,  attributes 
that  combine  a  traditional  organizational  role  with  short-term  responsibilities  result 
in  useful  compound  attributes;  e.g.,  ‘Faculty’  in  ‘College  of  Engineering’  serving  as 
‘Committee  Chair’  of  a  ‘University  Tenure  Committee’  in  ‘Spring2009’  are  all  valid 
attributes  in  their  own  right  and  arc  likely  to  be  used  to  describe  users.  The  only  way 
to  prevent  users  from  combining  such  attributes  in  undesirable  ways  when  using  cur¬ 
rent  CP-ABE  schemes  is  by  appending  the  (singleton)  attributes  as  strings;  i.e.,  fac- 
ulty_collegeOf Engineering.  committeeChair_univTenureCommittee-Spring2009.  But 
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this  approach  has  an  undesirable  consequence  in  that  it  makes  it  challenging  to  sup¬ 
port  policies  that  involve  other  combinations  of  singleton  attributes  used  to  build  the 
compound  attribute;  e.g.,  policies  targeting  “all  committee  chairs  in  Spring2009”  or 
“faculty  serving  on  tenure  committees”.  This  is  because  the  underlying  crypto  in 
CP-ABE  schemes  can  only  check  for  equality  of  strings  and  thus  cannot  extract  the 
“faculty”  or  “connnitteeChair”  attributes  from  a  compound  attribute  such  as  the 
one  described  above. 

Second,  CP-ABE  schemes  that  support  numerical  attributes  (i.e.,  allow  nu¬ 
merical  comparisons  in  policies)  are  limited  to  assigning  only  one  value  to  any  given 
numerical  attribute  within  a  key.  But  there  are  many  real  world  systems  where 
multiple  numerical  value  assignments  for  a  given  attribute  are  common;  e.g.,  stu¬ 
dents  enrolled  in  multiple  courses  identified  by  numeric  course  numbers  in  a  given 
semester,  users  with  multiple  accounts  at  a  particular  bank,  disease  codes  for  in¬ 
dividual  diseases  and  disease  classes  used  widely  in  health  care.  Furthermore,  the 
ability  to  compare  across  such  multiple  value  assignments  adds  flexibility  to  policy 
specification.  For  example,  consider  a  college  student  enrolled  in  two  junior  level 
courses,  357  and  373,  and  two  senior  level  courses,  411  and  418  respectively.  With¬ 
out  support  for  multiple  numerical  value  assignments  for  a  given  attribute  specifying 
policies  to  target  students  enrolled  in  senior  level  courses,  such  as  “course  number 
greater  than  or  equal  to  400  and  less  than  500”  is  tedious  and  cumbersome. 

In  this  chapter,  we  propose  Ciphertext-Policy  Attribute-Set  Based  Encryption 
(CP-ASBE),  a  form  of  CP-ABE,  that  addresses  the  above  limitations  of  CP-ABE 
by  introducing  a  recursive  set  based  structure  on  attributes  associated  with  user 
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keys.  Specifically  CP-ASBE  allows,  1)  user  attributes  to  be  organized  into  a  recur¬ 
sive  family  of  sets  and  2)  policies  that  can  selectively  restrict  decrypting  users  to 
use  attributes  from  within  a  single  set  or  allow  them  to  combine  attributes  from 
multiple  sets.  Thus,  by  grouping  user  attributes  into  sets  such  that  those  belong¬ 
ing  to  a  single  set  have  no  restrictions  on  how  they  can  be  combined,  CP-ASBE 
can  support  compound  attributes  without  sacrificing  the  flexibility  to  easily  specify 
policies  involving  the  underlying  singleton  attributes.  Similarly,  multiple  numerical 
assignments  for  a  given  attribute  can  be  supported  by  placing  each  assignment  in  a 
separate  set. 

While  restricting  users  to  use  attributes  from  a  single  set  during  decryption 
can  be  thought  of  as  a  regular  CP-ABE  scheme,  the  challenge  in  constructing  a  CP- 
ASBE  scheme  is  in  selectively  allowing  users  to  combine  attributes  from  multiple 
sets  within  a  given  key  while  still  preventing  collusion,  he.,  preventing  users  from 
combining  attributes  from  multiple  keys.  We  provide  a  construction  for  a  CP- 
ASBE  scheme  that  builds  on  BSW  and  evaluate  its  performance  through  a  prototype 
implementation.  We  show  that  our  construction  is  secure  against  chosen-plaintext 
attacks  in  the  generic  group  model.  However,  our  construction  can  be  efficiently 
extended  to  be  secure  against  chosen- ciphertext  attacks  using  a  transformation  like 
Fujisaki-Okamoto  [34,  75]  or  the  techniques  of  Canetti,  Halevi  and  Katz  [22]  just 
like  the  BSW  scheme  [10]. 

The  rest  of  this  chapter  is  organized  as  follows.  In  Section  3.1  we  further 
demonstrate  the  limitations  of  existing  CP-ABE  schemes  and  motivate  the  need  for 
CP-ASBE.  In  Section  3.2  we  give  some  preliminaries.  In  Section  3.3  we  present 


19 


our  construction  of  CP-ASBE.  In  Section  3.4  we  formally  prove  its  security.  In 
Section  3.5  we  discuss  optimizations  and  discuss  the  efficiency  of  the  scheme. 

3.1  Need  for  Organizing  Attributes  in  CP-ABE  User  Keys 

The  ability  to  group  attributes  into  sets  and  to  frame  policies  that  can  selec¬ 
tively  restrict  the  decrypting  key  to  use  attributes  belonging  to  the  same  set  is  a 
powerful  feature  more  than  one  might  realize  initially.  In  this  section  we  illustrate 
its  versatility  by  solving  various  problems  in  different  contexts  which  did  not  have 
any  reasonably  efficient  solutions  prior  to  this. 

3.1.1  Supporting  Compound  Attributes  Efficiently 

While  existing  CP-ABE  schemes  offer  unprecedented  expressive  power  for  ad¬ 
dressing  users,  for  several  natural  scenarios  they  are  inadequate.  We  illustrate  this 
with  the  following  natural  example  and  show  how  CP-ASBE  provides  a  simple  so¬ 
lution. 

Consider  attributes  for  students  derived  from  courses  they  have  taken.  Each 
student  has  a  set  of  attributes  (Course,  Year,  Grade)  for  each  course  she  has  taken. 
In  the  following,  consider  a  simple  policy  “Students  who  took  a  300  <  Course 
<  400  in  Year  >  2007  and  got  Grade  >  2.”  Using  a  CP-ABE  scheme  for  this  is 
challenging  because,  for  instance,  a  student  can  take  multiple  courses  and  obtain 
different  grades  in  them.  The  policy  circuit  will  have  to  ensure  that  she  cannot 
mix  together  attributes  from  different  sets  to  circumvent  the  policy.  We  point  out 
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a  few  possible  options  of  using  CP-ABE,  but  all  unrealistic  or  unsatisfactory.  The 
efficiency  parameters  considered  are  the  number  of  designed  attributes  given  to  each 
student,  and  the  size  of  the  designed  policy  (a  circuit,  with  designed  attributes  as 
inputs,  for  enforcing  the  policy). 

•  For  each  course  that  the  student  has  taken,  let  there  be  a  single  designed 
(boolean)  attribute  that  she  gets  (e.g.  cyg:373_2008_4).  But  the  designed  pol¬ 
icy  will  have  to  (unrealistically)  anticipate  all  such  attributes  that  will  satisfy 
the  policy  (e.g.,  cyg:300_2007_3  or  cyg:301_2007_3  or  ...  or  cyg:399_2010_4). 

•  Anticipate  (again,  unrealistically)  all  possible  policies  that  may  occur  which 
the  student’s  attributes  will  satisfy,  and  give  her  compound  boolean  attributes 
corresponding  to  each  of  these  policies  (e.g.,  cyg:373_2008_4,  cyg:373_2008, 
cyg:(>300)_2008,  cyg:(>400)_2007-or-cyg:(>300)_2008_(>3),  . . .).  In  this  case 
our  designed  policy  is  minimal,  with  just  an  input  gate  (labeled  by  the  at¬ 
tribute  cyg:(>  300, <  400)_(>  2007)_(>  2))  and  an  output  gate. 

•  Fix  an  upper  bound  on  the  number  of  courses  a  student  could  ever  take,  say 
50,  and  give  all  attributes  indexed  by  a  counter  (e.g.  Course#!.,  Year#l, 
Grade#l  etc.);  then  the  policy  will  have  to  incorporate  several  cases  (e.g., 
(400  <  Course#  1  >  300  and  Year#l  >  2007  and  Grade#  1  >  2)  or  . . .  or 
(400  <  Course#50  >  300  and  Year#50  >  2007  and  Grade#50  >2)).  This 
increases  the  policy  size  by  a  factor  of  50. 

If  a  policy  can  refer  to  more  than  one  course,  all  these  approaches  will  lead  to  even 
more  inefficiency  or  restrictions.  In  particular,  in  the  third  (and  the  most  efficient) 
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approach,  if  a  policy  refers  to  just  two  courses,  the  blow  up  will  be  by  a  factor  of 
2500  instead  of  50. 

We  stress  that  these  are  not  the  only  possibilities  when  using  CP-ABE.  In 
general,  by  giving  more  attribute  keys,  the  circuit  complexity  of  the  policies  can  be 
reduced  (the  first  two  options  above  being  close  to  the  two  extremes).  One  could 
achieve  slightly  smaller  policies  by  adding  judiciously  chosen  auxiliary  attributes 
and  adding  some  structure  to  values  taken  by  these  attributes  (for  instance,  in  the 
third  option  above,  one  can  let  the  counter  monotonically  increase  with  the  course 
number).  However,  the  resulting  schemes  are  still  unrealistically  inefficient  in  terms 
of  policy  size  and/or  number  of  keys,  and  further  makes  attribute  revocation  even 
less  efficient. 

A  CP-ASBE  scheme  can  be  used  to  overcome  these  issues  by  assigning  multiple 
values  to  the  group  of  attributes  but  in  different  sets.  In  our  example,  for  each  course 
that  a  student  has  taken,  she  gets  a  separate  set  of  values  for  the  attributes  (Course, 
Grade,  Year).  Thus  the  number  of  designed  attributes  she  receives  is  comparable  to 
the  number  of  natural  attributes  she  has;  further,  the  designed  policy  is  comparable 
in  size  to  that  of  a  policy  that  did  not  enforce  the  requirement  that  attributes 
from  different  courses  should  not  be  mixed  together.  In  short,  using  CP-ASBE,  we 
can  obtain  efficient  ciphertext  policy  encryption  schemes  for  several  scenarios  where 
existing  CP-ABE  scheme  are  insufficient. 

Expressiveness  in  terms  of  Attribute-Databases  Supported.  Some  of  the 
flexibility  illustrated  above  can  be  understood  by  viewing  the  association  of  at- 
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tributes  to  a  user  as  an  entry  in  a  database  table.  In  such  a  table  —  which  we  will 
call  the  attribute  table  —  each  row  stands  for  a  user  and  each  column  (other  than 
user  identity)  for  an  attribute.1  The  policy  associated  with  a  cipher-text  could  be 
considered  a  query  into  this  table,  to  identify  all  users  whose  attributes  satisfy  a 
certain  predicate. 

The  expressive  power  of  a  CP-ABE  scheme  is  given  by  the  class  of  queries  into 
this  table  that  the  scheme  can  support.  For  instance,  BSW  CP-ABE  [10]  supports 
a  large  class  of  such  queries.  One  challenge  to  increase  the  expressive  power  would 
be  to  broaden  this  class.  However,  there  is  another  important  dimension  in  which 
the  expressive  power  of  CP-ABE  scheme  can  be  improved,  by  supporting  a  more 
general  class  of  attribute  tables.  The  above  description  of  CP-ABE  required  that 
each  user  ID  appears  in  only  one  row  in  the  table.  (In  other  words,  the  user  ID  must 
be  a  “superkey”  in  the  attribute  table.)  Of  course,  a  table  can  be  forced  to  have  this 
property,  but  leading  to  large  blow  ups  in  the  number  of  designed  attributes  that 
a  user  receives  or  the  size  of  the  designed  policy.  On  the  other  hand,  a  CP-ASBE 
scheme  can  directly  support  a  tabic  with  multiple  rows  per  user:  attributes  in  each 
row  is  given  as  a  separate  set. 

Hn  the  case  of  a  “large  universe”  of  attributes,  the  number  of  columns  could  be  very  large 

say  all  strings  of  256  bits  -  and  the  resulting  sparse  table  will  never  be  stored  directly  as  a 
table.  Our  examples  shall  mostly  use  the  small  universe  scenarios,  though  they  extend  to  the  large 
universe  setting  as  well. 
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3.1.2  Supporting  Multiple  Value  Assignments 


A  major  motivation  for  CP-ASBE  is  to  support  multiple  value  assignments 
for  a  given  attribute  in  a  single  key.2  To  illustrate  this,  suppose  score  is  a  6-bit 
integer  representing  the  score  a  user  receives  in  a  game.  (The  user  may  possess 
several  other  attributes  in  the  system.)  The  user  can  play  the  game  several  times 
and  receive  several  values  for  score.  This  numerical  attribute  will  be  represented 
by  12  boolean  attributes:  score_bit0_0,  score_bitO_l,  . . .,  score_bit6_0  and  score_bit6_l, 
corresponding  to  the  values  0  and  1  for  the  six  bits  in  the  binary  representation  of 
the  value.  Now  consider  a  user  who  has  two  values  of  score,  33  (binary  100001)  and 
30  (binary  011110).  By  obtaining  attributes  for  the  bit  values  of  these  two  numbers, 
the  user  gets  all  12  boolean  attributes,  effectively  allowing  him  to  pretend  to  have 
any  score  he  wants. 

CP-ASBE  solves  this  problem  elegantly:  each  value  assignment  of  the  numer¬ 
ical  attribute  is  represented  in  a  separate  set  with  six  boolean  attributes  each  (one 
for  each  bit  position).  Note  that  attributes  other  than  score  need  not  be  repeated. 

Application:  Efficient  revocation.  ABE  schemes  suffer  from  lack  of  an  effective 

revocation  mechanism  for  keys  that  have  been  issued  (just  like  IBE).  To  address 

this  in  CP-ABE  in  a  limited  manner,  Bethencourt  et  al.  [10]  propose  adding  an 

expi ration _time  attribute  to  a  user’s  key  indicating  the  time  (i.e.,  a  numerical  value) 

until  which  the  key  is  considered  to  be  valid.  Then  a  policy  can  include  a  check 
2Note  that  multiple  values  for  an  attribute  is  relevant  only  when  the  attribute  in  question  is 
not  a  boolean  attribute  (in  a  monotonic  policy). 
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on  the  expiration jtime  attribute  as  a  numerical  comparison.  However,  in  practice 
the  validity  period  of  sensitive  attributes  has  to  kept  small  to  reduce  the  window 
of  vulnerability  when  a  key  is  compromised,  e.g.  a  day,  a  week  or  a  month.  At 
the  end  of  this  period  the  entire  key  will  have  to  be  re-generated  and  re-distributed 
with  an  updated  expiration  time  imposing  a  heavy  burden  on  the  key  server  and 
key  distribution  process. 

CP-ASBE  solves  this  problem  more  efficiently.  First,  we  observe  that  while 
key  validity  is  limited  because  of  the  window  of  vulnerability,  the  actual  attribute 
assignments  change  far  less  frequently.  Second,  we  observe  that  it  is  possible  to 
add  attributes  retroactively  to  a  user  key,  both  in  BSW  CP-ABE  and  CP-ASBE,  if 
key  server  is  able  to  maintain  some  state  information  about  the  user  key.  Then,  by 
allowing  multiple  value  assignments  to  the  expiratiomtime  attribute  we  can  simply 
add  a  new  expiration  value  to  the  existing  key.  Thus,  while  we  require  the  key  server 
to  maintain  some  state  we  avoid  the  need  to  generate  and  distribute  new  keys  on  a 
frequent  basis.  This  reduces  the  burden  on  the  key  server  by  a  factor  proportional 
to  the  average  number  of  attributes  in  user  keys. 

3.2  Preliminaries 

Bilinear  Maps.  Let  Gi,  G2,  G t  be  cyclic  (multiplicative)  groups  of  order  p,  where 
p  is  a  prime.  Let  gi  be  a  generator  of  Gi,  and  g2  be  a  generator  of  G2.  Then 
e  :  Gi  x  G2  — * ►  Gx  is  a  bilinear  map  if  it  has  the  following  properties: 

1.  Bilinearity:  for  all  u  G  Gi,v  G  G2  and  a,b  G  we  have  e(ua,vb)  =  e(u,v)ab. 
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2.  Non-degeneracy:  e(g,h )  ^  1. 


Usually,  Gi  =  G2  =  G.  G  is  called  a  bilinear  group  if  the  group  operation  and 
the  bilinear  map  e  are  both  efficiently  computable. 

Key  Structure.  In  CP-ABE  schemes,  an  encryptor  specihes  an  access  structure 
for  a  ciphertext  which  is  referred  to  as  the  ciphertext  policy.  Only  users  with  se¬ 
cret  keys  whose  associated  attributes  satisfy  the  access  structure  can  decrypt  the 
ciphertext.  In  CP-ABE  schemes  so  far,  a  user’s  key  can  logically  be  thought  of  as 
a  set  of  elements  each  of  which  corresponds  to  an  associated  attribute,  such  that 
only  elements  within  a  single  set  may  be  used  to  satisfy  any  given  ciphertext  policy 
(he.  collusion  resistance).  In  our  scheme  however,  we  use  a  recursive  set  based  key 
structure  where  each  element  of  the  set  is  either  a  set  itself  (i.e.  a  key  structure) 
or  an  element  corresponding  to  an  attribute.  We  define  a  notion  of  depth  for  this 
key  structure,  which  is  similar  to  the  notion  of  depth  for  a  tree,  that  limits  this 
recursion.  That  is,  for  a  key  structure  with  depth  2,  members  of  the  set  at  depth  1 
can  either  be  attribute  elements  or  sets  but  members  of  a  set  at  depth  2  may  only 
be  attribute  elements.  The  following  is  an  example  of  a  key  structure  of  depth  2: 

|  CS- Department,  Grad-Student,  {CourselOl,  TA},  {Course525,  Grad-Student}  j 

The  depth  of  key  structures  that  can  be  supported  by  our  scheme  is  a  system 
parameter  that  should  be  decided  at  the  time  of  setup.  That  is,  if  the  system  is 
setup  with  a  depth  parameter  of  5,  keys  of  depth  5  or  less  can  be  supported.  For 
ease  of  exposition,  we  will  describe  our  scheme  for  key  structures  of  depth  2.  But 
our  construction  is  easily  generalized  to  support  keys  of  any  depth  d  where  d  is  fixed 
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at  setup. 


The  key  structure  defines  unique  labels  for  sets  in  the  key  structure.  For  key 
structures  of  depth  2,  just  an  index  (arbitrarily  assigned)  of  the  set  among  sets  at 
depth  2  is  sufficient  to  uniquely  identify  the  sets.  Thus  if  there  are  m  sets  at  depth 
2  then  an  unique  index  i  where  1  <  i  <  m  is  (arbitrarily)  assigned  to  each  set.  The 
set  at  depth  1  is  referred  to  as  set  0  or  simply  the  outer  set.  If  0  represents  a  key 
structure  then  let  ^  represent  the  ith  set  in  0.  Individual  attributes  inherit  the 
label  of  the  set  they  are  contained  in  and  are  uniquely  defined  by  the  combination  of 
their  name  and  their  inherited  label.  That  is,  while  a  given  attribute  might  appear 
in  multiple  sets  it  can  appear  only  once  in  any  set.  In  the  above  example,  the 
outer  set  and  {Course525,  Grad-Student}  are  assigned  labels  0  and  2  respectively, 
and  the  two  instances  of  the  attribute  Grad-Student  are  distinguished  by  the  unique 
combination  of  their  inherited  set  label  and  attribute  name,  (0,  Grad-Student )  and 
(2,  Grad- Student),  respectively.  By  default,  a  user  may  only  use  attribute  elements 
within  a  set  to  satisfy  a  given  ciphertext  policy.  That  is,  a  user  with  the  key  structure 
from  the  above  example  may  combine  individual  attributes  either  from  the  outer  set 
(i.e.,  {CS-Department,  Grad-Student })  or  from  the  set  {CourselOl,  TA}  or  from 
the  set  {Course525,  Grad-Student}  to  satisfy  the  policy  associated  with  a  given 
ciphertext  but  may  not  combine  attributes  across  the  sets.  However,  an  encryptor 
may  choose  to  allow  combining  attributes  from  multiple  sets  to  satisfy  the  access 
structure  by  designating  translating  nodes  in  the  access  structure  as  explained  below. 
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Access  Structure.  We  build  on  the  access  structure  used  in  [10]  which  is  a  tree 
whose  non-leaf  nodes  are  threshold  gates.  Each  non-leaf  node  of  the  tree  is  defined 
by  its  children  and  a  threshold  value.  Let  ncx  denote  the  number  of  children  and  kx 
the  threshold  value  of  node  x,  then  0  <  kx  <  ncx.  When  kx  =  1,  the  threshold  gate 
is  an  OR  gate  and  when  kx  =  ncx  it  is  an  AND  gate.  The  access  tree  also  defines  an 
ordering  on  the  children  of  a  node,  he.,  they  are  numbered  from  1  to  ncx.  For  node 
x  such  a  number  is  denoted  by  index(rc).  Each  leaf  node  y  of  the  tree  is  associated 
with  an  attribute  which  is  denoted  by  att (y).  Furthermore,  the  encrypting  user 
may  designate  some  nodes  in  an  access  tree  as  translating  nodes.  Their  function  will 
become  clear  as  we  discuss  below  the  conditions  under  which  a  key  structure  is  said 
to  satisfy  an  access  tree. 

Let  T  be  an  access  tree  whose  root  node  is  r.  Let  Tx  denote  a  subtree  of  T 
rooted  at  node  x.  Thus  Tr  is  the  same  as  T.  Now  we  will  define  the  conditions 
under  which  a  key  structure  ^  is  said  to  satisfy  a  given  access  tree  T  assuming  there 
are  no  designated  translating  nodes  in  the  access  tree.  We  will  then  extend  the 
definition  to  consider  the  presence  of  translating  nodes.  A  key  structure  ip  is  said 
to  satisfy  the  access  tree  T  if  and  only  if  T (ip)  returns  a  non-empty  set  S  of  labels. 
We  evaluate  Tx{ijj)  recursively  as  follows.  If  x  is  a  non- leaf  node  we  evaluate  Txt{^) 
for  all  children  x1  of  x.  Tx{gp)  returns  a  set  Sx  containing  unique  labels  such  that 
for  every  label  Ibl  e  Sx  there  exists  at  least  one  set  of  k  >  kx  children  such  that  for 
each  child  x'  of  these  k  children  Sx>  contains  the  label  Ibl.  If  x  is  a  leaf  node  then 
the  set  Sx  returned  by  Tx{^i)  contains  a  label  Ibl  if  and  only  if  att(x )  G  Thus  a 
key  structure  is  is  said  to  satisfy  an  access  tree  if  it  contains  at  least  one  set  that  has 


all  the  attributes  needed  to  satisfy  the  access  tree.  Note  that  attributes  belonging 
to  multiple  sets  in  the  key  structure  cannot  be  combined  to  satisfy  the  access  tree. 

However,  if  there  are  designated  translating  nodes  in  the  access  tree,  the  al¬ 
gorithm  T('0)  is  modified  as  follows.  The  algorithm  Tx(if))  is  the  same  as  above 
when  a;  is  a  leaf  node.  When  x  is  a  non-leaf  node  we  evaluate  Tx '{'ip)  for  all  children 
x'  of  x.  Tx{^)  returns  a  set  Sx  containing  unique  labels  such  that  for  every  label 
Ibl  G  Sx  there  exists  at  least  one  set  of  k  >  kx  children  such  that  for  each  child  x ' 
of  these  k  children  Sx>  either  contains  the  label  Ibl  or  x1  is  a  translation  node  and 
Sxi  ^  0.  Thus,  if  node  a;  is  a  designated  translating  node  then,  even  if  the  attribute 
elements  used  to  satisfy  the  predicate  represented  by  the  subtree  rooted  at  x  belong 
to  a  different  set  in  the  key  structure  than  those  used  to  satisfy  the  predicates  rep¬ 
resented  by  the  siblings  of  x  the  decrypting  user  is  able  to  combine  them  to  satisfy 
the  predicate  represented  by  the  parent  node  of  x. 

Syntax  of  CP-ASBE  Scheme.  A  CP-ASBE  scheme  consists  of  four  algorithms, 
Setup,  KeyGen,  Encrypt  and  Decrypt.  The  algorithm  Setup  produces  a  master 
key  and  a  public  key  for  the  scheme.  KeyGen  takes  as  input  the  master-key,  a  user’s 
identity  and  an  attribute  set;  it  produces  a  secret  key  for  the  user.  Encrypt  takes 
as  input  the  public  key  of  the  scheme,  a  message  and  an  access  tree,  and  outputs 
a  ciphertext.  Finally,  Decrypt  takes  a  ciphertext  and  a  secret-key  (produced  by 
KeyGen),  and  if  the  access-tree  used  to  construct  the  ciphertext  is  satisfied  by  the 
attribute  set  for  which  the  secret-key  was  generated,  then  it  recovers  the  message 
from  the  ciphertext. 
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Security  of  CP-ASBE  Scheme.  Our  notion  of  message  indistinguishability  for 
CP-ASBE  scheme  against  chosen-plaintext  attacks  is  similar  to  that  for  CP-ABE 
schemes  [10]. 

Setup.  The  challenger  runs  the  Setup  algorithm  and  gives  public  parameters,  PK, 
to  the  adversary. 

Phase  1.  The  adversary  makes  repeated  queries  for  private  keys  corresponding  to 
attribute  sets  A1, . . . ,  A91. 

Challenge.  The  adversary  submits  two  equal  length  messages  Mq  and  Mi,  and  a 
challenge  access  structure  T*  such  that  none  of  the  private  keys  obtained  in 
Phase  1  corresponding  to  attribute  sets  A1, . . . ,  A91  satisfy  the  access  structure. 
The  challenger  flips  a  random  coin  b ,  and  encrypts  Adi,  under  T*.  The  resulting 
ciphertext  CT  is  given  to  the  adversary. 

Phase  2.  Phase  1  is  repeated  with  the  restriction  that  none  of  the  attribute  sets 
A9l+1, . . . ,  A9  satisfy  the  access  structure  corresponding  to  the  challenge. 

Guess.  The  adversary  outputs  a  guess  b'  of  b. 

The  advantage  of  an  adversary  A  in  this  game  is  defined  as  Pr[b'  —  b]  — 
This  game  could  easily  be  extended  to  include  chosen-ciphertext  attacks  by  allowing 
for  decryption  queries  in  Phase  1  and  Phase  2. 

Definition  3.1.  A  CP-ASBE  scheme  is  secure  against  chosen-plaintext  attacks  if 
all  probabilistic  polynomial  time  adversaries  have  at  most  a  negligible  advantage  in 
the  game  above. 
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3.3  Our  CP-ASBE  Construction 


A  key  challenge  in  designing  CP-ABE  schemes  is  preventing  users  from  pooling 
together  their  attributes.  BSW  CP-ABE  achieves  this  by  binding  together  all  the 
attribute  key  components  for  each  user  with  a  random  number  unique  to  the  user. 
Since  in  a  CP-ASBE  scheme  one  must  prevent  arbitrary  combination  of  attributes 
belonging  to  different  sets  (even  if  they  belong  to  the  same  user),  a  natural  idea 
would  be  to  similarly  use  a  unique  random  number  for  binding  together  attribute 
key  components  for  each  set,  in  addition  to  using  a  random  number  for  each  user. 
However,  a  CP-ASBE  scheme  must  also  support  specific  combinations  of  attributes 
from  different  sets,  as  specified  in  an  access-tree.  The  key  idea  in  our  construction 
is  to  include  judiciously  chosen  additional  values  in  the  ciphertext  (and  in  the  key) 
that  will  allow  a  user  to  combine  attributes  from  multiple  sets  all  belonging  to  the 
same  user.  As  it  turns  out,  such  a  modification  could  introduce  new  subtle  ways  for 
multiple  users  to  combine  their  attributes.  Our  construction  shows  how  to  thwart 
such  attacks,  using  appropriate  levels  of  randomization  among  different  users’  keys. 

Let  Go  be  a  bilinear  group  of  prime  order  p  and  let  g  be  a  generator  of  Go- 
Let  e  :  Go  x  Go  — ^  Gi  denote  a  bilinear  map.  Let  H  :  {0, 1}*  — »  Go  be  a  hash 
function  that  maps  any  arbitrary  string  to  a  random  group  element.  We  will  use 
this  function  to  map  attributes  described  as  arbitrary  strings  to  group  elements. 
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Setup(d  =  2).  The  setup  algorithm  chooses  random  exponents  a,/3i  G  Z p\/i  G 
{1,  2}.  The  algorithm  sets  the  public  key  and  master  key  as: 

PK  =(G,g,h!  =  (fl ,  /i  =  =  g02,f2  =  g^,e(g,g)a) 

MK  =(&, &,<?“) 

Note  that  to  support  key  structures  of  depth  d,  i  will  range  from  1  to  d. 


KeyGen(MK,  A,  u).  Here  u  is  the  identity  of  a  user  and  A  =  {H0,  Ai, . . . ,  Am}  is  a 
key  structure.  A0  is  the  set  of  individual  attributes  in  the  outer  set  (i.e.  set  0)  and  A\ 
to  Am  are  sets  of  attributes  at  depth  2  that  the  user  has.  Let  Ai  =  {ait i, . . . ,  avli}. 
That  is,  dij  denotes  the  j-th  attribute  appearing  in  set  Ai,  and  nt  denotes  the 
number  of  attributes  in  the  set  A^  (Note  that  for  different  values  of  a>ij  can 

be  the  same  attribute.)  The  key  generation  algorithm  chooses  a  unique  random 
number,  for  user  u.  It  then  chooses  a  set  of  m  unique  random  numbers, 

rj10  G  Z p,  one  for  each  set  A{  G  A,  1  <  i  <  m.  For  set  A0,  Tq11^  is  set  to  be  the  same 
as  Au\  it  also  chooses  a  set  of  unique  random  numbers,  rf0  G  Zp,  one  for  each 
0  <  i  <  m,  1  <  j  <  rii.  The  issued  key  is: 

/  (a+7») 

SKtt=  A  ,D  =  g—*—, 


Dij  =  gr*  }  ■  H(aiJ)riii ,  D[d  =  gr^  for  0  <  i  <  m,  1  <  j  <  n u 
Ei  =  g @2  for  1  <  i  <  m 


Note  that  the  operations  on  the  exponents  in  the  above  equations  are  modulo  the 
order  of  the  group,  which  is  prime.  Hence  division  in  the  exponent  is  well-defined. 
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We  omit  the  mod  for  convenience.  Elements  Et  enable  translation  from  r\u'!  (i.e.,  set 
Ai  at  depth  2)  to  (i.e.,  the  outer  or  parent  set  A0  at  depth  1)  at  the  translating 
nodes.  Elements  E,  and  E )/  can  be  combined  as  Et / Eti  to  enable  translation  from 
(i.e.,  set  A,/ )  to  r\u^  (i.e.,  the  set  Ai)  at  the  translating  nodes.  Similarly,  for  a 
key  structure  of  depth  d,  there  will  elements  that  enable  translation  from  a  set  at 
depth  d  to  its  parent  set  at  depth  d  —  1  and  they  will  use  /3d  and  random  numbers 
corresponding  to  the  appropriate  sets. 

Encrypt (PK,  M,  T).  M  is  the  message,  T  is  an  access  tree.  The  algorithm 
associates  a  polynomial  qT  with  each  node  r  (including  the  leaves)  in  the  tree  T. 
These  polynomials  are  chosen  in  the  following  way  in  a  top-down  manner,  starting 
from  the  root  node  R.  For  each  internal  node  r  in  the  tree,  the  degree  dT  of  the 
polynomial  qT  is  set  to  be  one  less  than  the  threshold  value  kT  of  that  node,  that 
is,  dT  —  kT  —  1.  For  leaf  nodes  the  the  degree  is  set  to  be  0.  For  the  root  node  R 
the  algorithm  picks  a  random  s  G  Zp  and  sets  q^( 0)  =  s.  Then,  it  chooses  d r  other 
points  randomly  to  define  the  polynomial  qn  completely.  For  any  other  node  r,  it 
sets  gT(0)  =  qParent{T) (index (t))  and  chooses  dT  other  points  randomly  to  completely 
define  qT.  Here  parent(r)  denotes  the  parent  node  of  r.  Let  Y  denote  the  set  of 
leaf  nodes  in  T.  Let  X  denote  the  set  of  translating  nodes  in  the  access  tree  T.  Then 
the  ciphertext  CT  returned  is  as  follows: 

CT  =(T,  C  =  M  ■  e(g,  g)a's ,  C  =  h\,C  =  hs2,  Vy  e  Y  :  Cy  =  g^°\ 

C'y  =  H(att(y))qy{0\  Vx  e  X  :  Cx  =  hg2x{0) ) 
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Translating  values  C'xs  together  with  E/s  in  user  keys  allow  translation  between 
sets  at  a  translating  node  x  as  will  be  described  in  the  Decrypt  function.  Note  that 
the  element  C  is  the  same  as  Cr  where  r  denotes  the  root  node.  A  variant  of  the 
scheme  would  be  where  C  is  not  included  in  the  ciphertext  but  is  only  released  at 
the  discretion  of  the  encrypting  user  as  Cr.  This  would  restrict  decrypting  users  to 
only  use  individual  attributes  in  the  outer  set  except  when  explicitly  allowed  by  the 
encrypting  user  by  designating  translating  nodes. 

Decrypt(CT,  SKU).  Here  we  describe  the  most  straightforward  decryption  al¬ 
gorithm  without  regard  to  efficiency.  The  decryption  algorithm  is  a  recursive  al¬ 
gorithm  similar  to  the  tree  satisfaction  algorithm  described  in  Section  3.2.  The 
decryption  algorithm  first  runs  the  tree  satisfaction  algorithm  on  the  access  tree 
with  the  key  structure  i.e.,  T( A),  and  stores  the  results  of  each  of  the  recursive 
calls  in  the  access  tree  T.  That  is,  each  node  t  in  the  tree  is  associated  with 
a  set  St  of  labels  that  was  returned  by  %  (A).  If  A  does  not  satisfy  the  tree  T 
then  the  decryption  algorithm  returns  _L.  Otherwise  the  decryption  algorithm  picks 
one  of  the  labels,  i,  from  the  set  returned  by  T( A)  and  calls  a  recursive  function 
DecryptNode(CT,  SKU,  t,  % )  on  the  root  node  of  the  tree.  Here  CT  is  the  cipher- 
text  CT  =  (T,C,C,\/y  G  Y  :  Cyi  C"y,Sx  e  X  :  Cx ),  SK„  is  a  private  key,  which  is 
associated  with  a  key  structure  denoted  by  A,  t  is  a  node  from  T,  and  i  is  a  label 
denoting  a  set  of  A.  Note  that  the  ciphertext  CT  now  contains  tree  information  that 
is  augmented  by  the  results  from  T(A).  DecryptNode(CT,  SKU,  t,  i)  is  defined 
as  follows. 
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If  t  G  Y,  he.,  node  t  is  a  leaf  node,  then  DecryptNode(CT,  SKU,  t,  i )  is 
defined  as  follows.  If  att{t)  ^  Aj  where  Aj  G  A  then  DecryptN  ode(CT ,  SK„,  t,  i )  =_L. 
If  att(t)  =  dij  G  A  where  A*  G  A  then: 


D ecryptN ode (CT ,  SKU,  t,  i ) 


Ct) 


Note  that  set  from  which  the  satisfying  attribute  a%^  was  picked  is  implicit  in  the 
result  e(g,g)ri  (j.e.,  indicated  by  When  t  ^  Y,  he.,  node  t  is  a  non-leaf 

node,  then  DecryptNode(CT,  SKu,t,  i)  proceeds  as  follows: 


1.  Compute  Bt  which  is  an  arbitrary  kt  sized  set  of  child  nodes  z  such  that  z  G  Bt 
only  if  either  (1)  label  i  G  Sz  or  (2)  label  i!  G  Sz  for  some  i'  ^  i  and  z  is  a 
translating  node.  If  no  such  set  exists  then  return  _L. 


2.  For  each  node  z  G  Bt  such  that  label  i  G  Sz  call  DecryptNode(CT,  SK„,  t,  i) 
and  store  output  in  Fz. 


3.  For  each  node  z  G  Bt  such  that  i'  G  Sz  and  il  ^  i  call  D  ecryptN ode  (CT ,  SK„,  t,  i') 
store  output  in  F'z.  If  i  ^  0  then  translate  F'z  to  Fz  as  follows: 

Fz  =  e{Cz,Ei/Ei' )  ■  F’z 

=  e(/”-(0),iCW)  ■  =  e(g,  gyM‘  ^ 

Otherwise,  translate  Fz  to  Fz  as  follows: 

u  =  FkEA  =  =  e(9,9r<"> 

F,  e(g,gyy 
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4.  Compute  Ft  using  polynomial  interpolation  in  the  exponent  as  follows: 


Ft  =  Fz  where  k  =  index{z)1B’z  =  {index(z)  :  z  G  Bt} 


z£Bt 


and  Lagrange  coefficient  A its(x)  =  J  J 


x-J 


|  e(g,g)riK}M0) 

e(g,g)rlu) -qm 


when  i  ^  0 
when  i  =  0 


The  output  of  DecryptNode( CT,  SKU,  r,  i )  function  on  the  root  node  r  is  stored 
in  Fr.  If  i  =  0  we  have  Fr  =  e(g,  g)r{u}'qr^  =  e(g,g)r{u}'s  otherwise  we  have 

{•u} 

Fr  =  e(g,g)ri  's.  If  i  ^  0  then  we  compute  F  as  follows: 


F  =  >  =  e{g,af^  =  e(g,gf'- 

Fr  e(g,g)ri  ^ 

Otherwise  F  =  Fr.  The  decryption  algorithm  then  computes  following: 

C-F  M  ■  e(g,  g)a's  ■  e(g,  g)ri 


e{gs'fil,g~^  ) 


=  M 


e(C,D) 

Note  how  two  elements  Et  and  Ey  together  with  a  translating  value  Ct  at  a 
node  t  were  used  to  translate  between  sets  i  and  il  at  node  t  in  step  3.  Similarly, 
note  how  a  single  element  E%  together  with  a  translating  value  was  used  to  translate 
between  set  i  and  the  outer  set.  We  note  that  if  =  fa  then  the  scheme  would 
become  insecure  as  colluding  users  could  transitively  translate  from  inner  set  i  to 
outer  set  and  then  from  one  key  to  the  other  by  using  the  D  elements  from  their 
keys.  Thus  we  need  a  unique  (3  for  every  level  that  we  need  to  support.  When  using 
key  structures  of  depth  d,  translating  values,  C s,  that  help  translate  between  sets 
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at  depth  d  or  between  a  set  at  depth  d  and  its  parent  at  depth  d  —  1  will  use  (3d- 
And  to  allow  translations  across  multiple  levels  at  a  given  node,  multiple  translating 
values  using  different  /3s  will  need  to  be  released  at  that  node. 

Usage  Example.  We  now  demonstrate  the  usage  of  CP-ASBE  with  the  example 
policy  from  Section  3.1.1.  When  using  two  level  key  structures,  the  policy  can  be 
written  as  follows  using  threshold  gates: 

4  OF  ^[{Course  >  300),  ( Course  <  400),  ( Grade  >  2),  ( Year  >  2007)^ 

Here,  predicates  such  as  Course  >  300  will  further  be  expanded  and  written  using 
their  constituent  boolean  attributes.  Recall  that  numerical  attributes  in  CP-ASBE 
are  represented  using  a  bag  of  bits  representation,  with  a  boolean  attribute  used  to 
represent  each  bit  of  the  numerical  value,  as  described  in  Section  3.1.2.  Users  can 
be  given  keys  with  two  levels.  For  example,  for  a  user  who  has  taken  two  courses 
the  structure  of  the  issued  key  is  as  follows: 

| {Course  =  304,  Grade  =  2,  Year  =  2007}, {Course  =  425,  Grade  =  3,  Year  =  2008}^ 

While  the  user’s  key  will  contain  translation  elements  Ei  s,  as  long  as  there  is  no 
designated  translation  node  in  the  policy  (be.,  ciphertext)  the  user  will  not  be  able 
to  combine  his  Grade  and  Year  attributes  for  Course  4^5  with  that  of  Course  304 
to  satisfy  the  above  policy. 

3.4  Security 

The  security  proof  for  our  scheme  closely  follows  that  of  BSW  CP-ABE  [10] 
and  uses  generic  group  [17,  66]  and  random  oracle  models  [9].  Such  a  proof  implies 
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that  the  advantage  of  any  adversary  in  the  CP-ASBE  security  game  is  negligible,  as 
long  as  it  uses  the  underlying  groups  and  hash  functions  in  a  generic  manner,  and 
makes  only  polynomially  many  accesses  to  them. 

Generic  Bilinear  Group  [17].  A  generic  group  Go  with  a  bilinear  map  e  : 

Go  x  Go  — >  Gi  can  be  modeled  by  an  oracle  which  uses  random  strings  as  handles 

for  the  elements  in  the  two  groups  Go  and  Gi.3  More  precisely,  we  consider  an  oracle 

O,  which  picks  two  random  encodings  of  the  additive  group  ¥p  into  sufficiently  long 

strings,  i.e.,  injective  maps  ifj o,Vh  :  F p  — >  {0,  l}m,  where  m  >  31og(p).  We  write 

Go  =  {^q{x)\x  G  Fp}  and  Gi  =  {i/)i(x)\x  G  Fp}.  The  oracle  provides  access  to 

the  group  operations  (which  we  shall  refer  to  as  multiplication)  in  either  group:  for 

example,  queries  of  the  form  (multiply0,  h,  h')  and  (inverse0,  h),  will  be  answered 

respectively  by  (h)  +  ipQl{h')),  1(/i)).  If  h  or  h!  is  not  in  the  range 

of  if} 0,  then  the  oracle  returns  _L.  The  oracle  also  provides  access  to  the  identity 

elements  (^o(O),  V’i(O)),  and  canonical  generators  (V’o(l), f/’i(l))  hr  the  two  groups, 

as  well  as  the  ability  to  sample  random  elements  in  the  groups.  In  addition,  given 

a  query  (pair,  h,  h'),  where  h  =  ipo(a)  and  h!  =  'ipo(P),  O  returns  h"  =  'ip1(a/3).  To 

relate  to  the  notation  of  bilinear  groups  used  in  our  construction,  we  will  denote 

^(l)  by  g  and  r/’o( x )  by  gx.  Similarly  we  will  let  e(g,g)y  denote  (y).  Then  the 

above  pairing  query  to  the  oracle  will  be  written  as  e(ga,gfS)  and  the  response  as 
3We  remark  that  it  is  not  important  to  model  the  handles  as  random  strings,  but  only  as  distinct 
handles  that  can  be  named  by  the  adversary.  But  we  stick  to  the  convention  from  [17],  that  was 
used  in  [10],  whose  proof  ours  most  closely  resemble. 
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e(g,g)aP. 


Finally,  the  oracle  O  also  includes  a  random  function  H  :  {0,1}*  — >  Go-  It 
takes  queries  of  the  form  (hash,  a)  for  arbitrarily  long  strings  a  and  returns  H(a). 

Theorem  3.1.  Let  O,  Go,  Gi,  and  H  be  as  defined  above.  For  any  adversary 
A  with  access  to  O  in  the  security  game  for  the  CP-ASBE  scheme  in  Section  3.3 
( using  G0,  Gi,  and  H ),  suppose  q  is  an  upper-bound  on  the  total  number  of  group 
elements  it  receives  from  queries  to  O  and  interaction  with  the  CP-ASBE  security 
game.  Then  the  advantage  of  A  in  the  CP-ASBE  security  game  is  0(q2/p). 

Proof  Intuition.  Let  us  say  that  s  is  the  random  secret  split  according  to  the 
access  structure  T  as  described  in  the  Encrypt  function  of  Section  3.3.  Let  T  be 
an  access  structure  derived  from  T  by  removing  the  sub-trees  under  all  translating 
nodes,  i.e.,  translating  nodes  become  leaf  nodes.  For  simplicity,  let  us  assume  for 
now  that  all  the  leaves  of  T  are  translating  nodes  in  the  original  access  structure 
T.  Let  qt( 0)  represent  the  secret  share  associated  with  a  translating  node  t.  A  user 
has  to  obtain  e(g,g)as  to  recover  the  message  encrypted  using  the  access  structure 
T.  He  could  pair  C  =  g ^1S  given  in  the  ciphertext  with  D  =  gA+r{u})/F  jn  pjg  key 
to  obtain  e(g ,  g)as+r{u}  s ,  i.e.,  e(g,g)as  blinded  by  e(g,  g)r{u}s.  A  user  can  cancel  out 
e(g,g)r{u}s  only  if  he  satisfies  the  tree,  i.e.,  by  obtaining  a  set  of  e(g,  g)r<uGt(o)  ^ilgq 
can  reconstruct  e(g,  g)r{u}s.  One  can  think  of  the  key  components  given  for  each  set 
of  attributes  in  the  key  structure  as  a  unique  key  under  the  BSW  scheme.  That  is, 
if  Au\  is  the  unique  random  number  used  in  our  CP-ASBE  key  then  the  set  of  key 
components  (including  the  translation  element)  corresponding  to  each  set  A;  can  be 
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thought  of  as  a  BSW  key  issued  using  a  master  secret  key  (/?2, grW).  Furthermore, 
each  of  the  sub-trees  rooted  at  a  translating  node  can  be  thought  of  an  access 
structure  under  the  BSW  scheme.  Thus  a  given  sub-tree  can  only  be  satisfied  using 
attributes  from  a  single  set,  i.e.  a  single  BSW  key,  as  BSW  is  collusion  resistant. 
The  proof  below  shows  that  the  additional  group  elements  that  are  available  to  an 
adversary  in  our  scheme  do  not  adversely  affect  this  collusion  resistance.  Thus  a 
user  who  has  a  key  with  a  set  that  can  satisfy  the  sub-tree  under  a  translating 
node  t  can  obtain  e(g,  g)r{u}qt^°\  And  since  r ^  is  unique  to  a  CP-ASBE  key,  only 
attributes  from  sets  within  a  single  CP-ASBE  key  can  be  used  to  satisfy  T'  and 
thus  the  original  access  structure. 

Proof.  Recall  that  in  the  CP-ASBE  security  game  the  adversary  has  to  distinguish 
between  challenge  ciphertexts  M0-e(g,  g)a's  and  Mi-e(g,  g)a's.  By  a  standard  hybrid 
argument  one  can  consider  a  modified  security  game  in  which  the  adversary  has  to 
distinguish  between  challenge  ciphertexts  e(g,g)a's  and  e(g,g)9,  where  6  is  selected 
uniformly  at  random  form  Fp.  It  is  easy  to  show  that  any  adversary  that  has 
advantage  e  in  the  original  CP-ASBE  game  can  be  transformed  into  an  adversary 
that  has  an  advantage  of  at  least  e/2  in  the  modified  game.  We  will  now  bound  the 
adversary’s  advantage  in  the  modified  game  to  prove  the  theorem. 

For  this  we  describe  a  simulation  of  the  modified  game,  such  that  the  adver¬ 
sary’s  view  in  the  simulation  is  distributed  identical  to  that  in  the  modified  security 
game  with  challenge  ciphertext  e(g,g)e.  Further,  conditioned  on  an  event  of  prob¬ 
ability  1  —  0(q2/p)  in  the  simulation,  we  will  show  that  this  view  is  identical  to 
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what  it  would  have  been  in  the  modified  security  game,  with  challenge  ciphertext 
e(g,g)a's.  Thus  we  will  conclude  that  the  advantage  of  the  adversary  is  at  most 
0(q2/p). 

At  the  setup  time  the  simulation  chooses  a,  @1,02  at  random  from  Fp.  If  f3\  =  0 
or  p2  =  0  then  setup  is  aborted  just  as  it  would  be  in  the  actual  scheme.  The  public 
parameters  hi  =  gl3l,h2  =  g^2,fi  =  9f3l,f-2  =  g132,  and  e(g,g)a  are  sent  to  the 
adversary. 

When  the  adversary  or  the  simulation  call  for  evaluation  of  H  on  any  new 
attribute  string  a,  a  new  random  value  ta  is  chosen  from  Fp,  and  the  simulation 
provides  gta  as  the  response  to  H(a )  and  stores  it  to  respond  to  future  queries  on  a. 
When  the  adversary  makes  its  k'th  key  generation  query  for  attribute  set  Ak,  the 
simulation  picks,  (1)  a  new  random  value  from  Fp,  (2)  a  new  random  value  r\k^ 
for  every  subset  Ak  G  Ak  and  (3)  a  new  random  value  r\k^  for  every  ahJ  G  Ak ,  for 

J-,-* 

every  Ak  G  Ak .  It  then  computes,  (1)  D  =  gA+r  )/A^  (2)  Dh]  =  gr<  +tj'ri,j  and 
D[-  =  gri^  for  each  j  e  Ak  and  each  Ak  e  Ak  and  (3)  =  g(r{k}+rij})/P2  for  each 

Ak  G  Ak.  These  values  are  passed  on  to  the  adversary. 

In  the  challenge  phase  the  adversary  outputs  a  challenge  access  structure  T* 
along  with  two  equal  length  messages  M0,Mi  G  G0.  Let  X*  denote  the  set  of 
converging  nodes  in  T*.  Let  Y*  denote  the  set  of  leaf  nodes  in  the  access  tree 
T* .  The  simulator  chooses  a  random  s  G  Fp  and  uses  the  linear  secret  sharing 
scheme  associated  with  T*  as  described  in  Encrypt  function  of  Section  3.3  to 
construct  shares  qy(0)ofofs\/y  G  Y*.  Let  Sx  represent  qx(A)  for  all  iGl*,  where  qx  is 
polynomial  associated  with  node  x  as  described  in  Encrypt  function  of  Section  3.3. 
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Note  that  every  leaf  node  is  a  descendent  of  a  unique  converging  node.  Let 
\xj  represent  qy( 0)  where  y  G  Y*  is  a  descendent  of  re  G  X*  and  represents  attribute 
j4.  Furthermore,  note  that  the  choice  of  5X  can  be  perfectly  simulated  by  choosing 
v  random  values  /q , . . . ,  /i„  uniformly  and  independently  from  Fp,  for  some  value  of 
v,  and  then  letting  Sx  be  hxed  public  linear  combination  of  fiv' s  and  s.  Similarly, 
we  can  think  of  A XJ s  as  a  hxed  linear  combination  of  some  constants  /if, . . .  ,  Jjl'u  and 
8X.  We  will  think  of  the  5xs  and  A XJ s  as  such  linear  combinations  later. 

Finally  the  simulation  chooses  a  random  6  G  Fp,  and  constructs  the  encryption 
as  follows:  C  =  e(g,g)e,  C  =  /if,  Wy  G  Y*,Cy  =  gXx’j  and  Cy  =  and 

Vrc  G  X*C'x  =  /ig3’.  These  values  are  sent  to  the  adversary. 

When  the  adversary  makes  a  query  to  the  group  oracles,  if  the  adversary 

provides  as  input  a  handle  h  that  it  did  not  receive  from  the  oracle,  then  with 

probability  1  —  0(1 /pi2)  such  a  handle  is  not  in  the  range  of  or  V;i  •  So,  by 

conditioning  on  an  event  of  probability  1  —  0(q/p 2)  ( q  being  an  upperbound  on 

the  number  of  oracle  queries  made  during  the  entire  simulation),  we  can  assume 

that  the  oracle  provides  answers  to  only  queries  which  use  handles  already  given 

out  by  the  oracle.  As  such  we  may  keep  track  of  the  algebraic  expressions  being 

called  for  from  the  oracles  as  long  as  no  “accidental  collisions”  occur.  Specifically, 

we  think  of  an  oracle  query  being  a  rational  function  v  =  q/^  in  the  variables 
4Note  we  are  assuming  here  that  a  given  attribute  is  not  represented  by  multiple  leaf  nodes 
descending  from  the  same  converging  node.  We  can  accommodate  such  policies  by  adding  one 
more  variable  subscript  to  A  that  identifies  its  position  among  descendents  of  a  given  converging 
node.  We  omit  it  here  for  clarity. 
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9 ,  a,  Pi,  P2,  tj's,  rk' s,  rfs,  rkJs,  s,  and  pv's .  An  accidental  collision  is  said  to  occur  if 
two  distinct  formal  queries  r//£  ^  t//£'  have  the  same  value  due  to  random  choices  of 
the  variables.  We  now  condition  that  no  such  “accidental  collisions”  in  either  group 
Go  or  G[.  For  any  pair  of  distinct  formal  queries  q/£  and  rf /£'  within  a  group, 
an  accidental  collision  occurs  only  if  the  non-zero  polynomial  qC,'  —  £7/  evaluates  to 
zero.  The  total  degree  of  qp  —  prf  in  our  case  is  a  constant  (at  most  5).  Then  by  the 
Schwartz-Zippel  lemma  [64,  77]  the  probability  of  an  accidental  collision  between 
any  pair  of  formal  queries  is  0[l/p).  By  a  union  bound,  the  probability  that  any 
such  collision  happens  in  our  simulation  is  at  most  0(q2/p).  Thus  we  can  condition 
on  no  “accidental  collisions”  occurring  while  retaining  1  —  0(q2/p)  of  the  probability 
mass. 

Now  we  show  that,  subject  to  the  condition  that  no  “accidental  collisions” 
occur,  the  view  of  the  adversary  is  identically  distributed  when  we  set  6  —  a  ■  s  in 
the  simulation.  Since  we  are  in  the  generic  group  model  where  each  group  element 
is  uniformly  and  independently  chosen  the  only  way  that  the  adversary’s  view  can 
differ  in  the  case  6  =  a- s  is  if  there  are  two  queries  v  and  v'  into  Gi  such  that  v  7^  v' 
but  v  |,9=q.s=  v'  \e=a-s-  Since  6  only  occurs  as  e(g,g)e  in  Gi,  the  only  dependence  v 
or  v'  can  have  on  6  is  by  having  some  additive  terms  of  the  form  7  •  9  where  7  is  a 
constant.  Therefore  we  must  have  that  v  —  v'  =  7  •  a  ■  s  —  7  •  9  for  some  constant 
7  7^  0  for  the  adversary’s  view  to  be  different  in  the  two  simulations.  We  can  then 
artificially  add  the  query  u  —  v'  +  ^-  9  =  ^-  a-  s  to  the  adversary’s  queries.  We 
will  now  do  a  case  analysis  based  on  the  information  given  to  the  adversary  by  the 
simulation  to  show  that  an  adversary  can  never  construct  a  query  for  e(g,g)1'a's 
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Tabic  3.1:  Possible  adversary  query  terms  in  Gi 


hj 

tj 

(fc|  ,  {fc} 

rl  + 

ri,j  '  i' ,j' 

h/V 

^x,j  A#'  ,j' 

tj  tj'  A  x,j  A^'  j' 

{k}, 

rhHr 

^X,j  ^x' 

{k}x 

ri,j  ^x,j' 

tjtj'  ^X,j' 

{A;}  \  1  J.  {A;}  \ 

ri  ^X,j'  +  tjri,j  ^x,j' 

{A-}  {W }  .  {k},  {k'} 

r},j!r >,  +  fa/ far}  J 

a  +  rk 

Sx 

{k}.  .  ,  ,  {fc} 

ri  </  +  tit3'ri,j 

{fc} ,  . 

ri,j 

s 

J,k  _|_  ?.{fcl 

as  +  rks 

rkfjx  q.  fak^5x 

,j 

(rlfc}  +  ^rg})(4fe,}  +  tyrf'J) 

which  will  establish  the  theorem. 

Table  3.1  enumerates  all  the  possible  queries  into  Q\  by  means  of  the  bilinear 
map  and  group  elements  given  to  the  adversary  by  the  simulation  except  for  those 
that  involve  fa  or  fa  in  every  monomial  as  they  will  not  be  relevant  for  constructing 
a  query  involving  a  ■  s.  Here  the  variables  j  and  j'  are  possible  attribute  strings, 
variables  k  and  k'  are  indices  of  secret  key  queries  made  by  the  adversary,  and 
variables  i  and  i'  are  indices  of  attribute  subsets  in  a  given  secret  key.  The  queries 
are  given  in  terms  of  \XJ  s  and  8x's  and  not  in  terms  of  fiv' s  and  fajs.  The  adversary 
has  access  to  1  and  a  in  group  Gi  in  addition  to  the  queries  shown  in  Table  3.1. 
The  adversary  can  query  for  an  arbitrary  linear  combination  of  these  and  we  will 
show  that  no  such  linear  combination  can  produce  a  polynomial  of  the  form  7  •  a  ■  s 
for  some  constant  7^0. 
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From  Table  3.1  we  see  that  the  only  way  for  an  adversary  to  create  a  term 
containing  as  is  by  pairing  s(3\  with  ( a  +  r^)/  (3\  to  get  as  +  rks.  The  adversary 
could  create  a  query  polynomial  of  the  form  yas  +  XlfceT  7fc'rfc's>  for  some  set  T 
and  constants  7,7 ^  0.  In  order  for  the  adversary  to  get  a  query  polynomial  of 
the  form  yas  the  adversary  must  add  other  terms  in  order  to  cancel  the  terms  of 
^fceT7fcrfcs.  Observe  that  the  only  terms  of  the  form  rks  that  the  adversary  has 
access  to  are  obtained  by  pairing  (32SX  terms  with  (rk -\-rjk^)/p2  terms,  since  8x's  are 
linear  combinations  of  /j,v's  and  s.  The  adversary  could  create  a  query  polynomial 
of  the  form  for  sets  Tjj '  and  constants  7 (i,k,x)  7^  0: 

7 as  +  ^  (b kr{k}s  +  ^  7(*,fc,*)  {r{k}5x  +  rjk}Sx )  ) 

fcST  (i,x)£T[ 

By  design  there  exists  at  least  one  non  empty  set  of  Sx’s  that  can  reconstruct  s. 
Without  loss  of  generality  we  will  assume  that  VfceT  the  adversary  picks  a  set  T'k 
such  that  the  set  {<Sx|(i,  x)  G  T'k}  can  reconstruct  s.  (For  otherwise  the  adversary’s 
polynomial  cannot  be  of  the  form  yas  thus  proving  the  theorem.)  The  adversary  still 
needs  to  add  other  terms  to  cancel  terms  of  the  form  Yl(iX)eT'  7 (i,k,x)rjk^x,^k  £  T 
in  order  to  obtain  a  query  polynomial  of  the  form  yas.  Note  that  the  only  other 
terms  of  the  form  r]  !ox  that  the  adversary  has  access  to  are  obtained  by  pairing 
rjk^  +  tj'rjly  with  some  XX)y  as  \XtJ>  is  a  linear  combinations  of  fij s  and  5X.  Thus 
the  adversary  could  create  a  query  polynomial  of  the  following  form: 

yas +  ^2lykr{k}s  +  ^  7 (k,i,x){r{k}Sx)  +  ^  'Y(k,i,x)(r}k}5x+ 

k&T  \  ( i,x)eT l  (i,x)GT' 

’Sy^J  7  {k,i,x,j,j'){ri  '  ,?  +  ^  j 
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The  following  case  analysis  concludes  the  proof: 


Case  1:  There  exists  some  k  G  T  :  3(i,x)  G  Tk  such  that  the  set  of  shares 
Lk,i,x  =  {A  xji  :  3  j  :  (j,f)  G  Tj!ix}  do  not  allow  for  the  reconstruction  of  Sx. 
In  this  case,  the  term  rjk^Sx  will  not  be  canceled  and  the  adversary’s  query 
polynomial  cannot  be  of  the  form  rjas. 

Case  2:  For  all  k  G  T  and  V(*,x)  G  Tk  the  set  of  shares  Lkix  =  {Xxj>  :  3 j  : 
(j,f)  G  T[!ix}  allow  for  the  reconstruction  of  Sx.  Then  the  only  terms  left  in 
the  adversary’s  query  polynomial  other  than  qccs  are  of  the  form  \XJ> 

and  the  adversary  needs  to  add  other  terms  to  cancel  them  from  the  query. 
As  seen  in  Table  3.1,  the  only  term  the  adversary  has  access  to  that  he  can 
use  to  cancel  terms  of  the  form  tjr\k^  Xxj>  is  the  term  rj^tf  Xxj'  but  only  when 
j  =  j'.  We  will  now  show  that  there  is  at  least  one  term  of  the  form  tjr\k^ Xxji 
in  the  adversary’s  query  polynomial  such  that  j  ^  j'  to  complete  the  proof. 

Fix  any  k  G  T.  Consider  Ak  the  set  of  attributes  corresponding  to  k'th  ad¬ 
versary  key.  By  the  assumption  that  no  key  should  pass  the  challenge  access 
structure,  and  the  properties  of  the  secret  sharing  scheme  we  know  that  there 
exists  a  <5^  :  3i  :  (i,x)  G  such  that  the  set  of  shares  L'kix  =  {Xxj  :  j  G  : 
Ak  G  Afc}  cannot  reconstruct  5X  for  any  i  :  Ak  G  Ak.  Thus  there  must  exist 
at  least  one  Xx^>  G  Lk)i,x  that  is  linearly  independent  of  L'ki  x  when  written  in 
terms  of  5X  and  nv's.  Thus  for  at  least  for  one  Xxj>  G  Lk  l  x  there  will  be  a 
term  of  the  form  tjr\k^  Xxj>  :  j  ^  j'  left  behind  in  the  query  for  the  adversary 
does  not  have  access  to  a  term  that  can  cancel  it  as  evident  from  Table  3.1. 
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Therefore  no  adversary  query  polynomial  can  be  of  the  form  yas. 


□ 


3.5  Efficiency  Analysis 

In  this  section  we  discuss  the  efficiency  of  CP-ASBE  scheme  instantiated  with 
two-levels.  It  is  straightforward  to  estimate  the  efficiency  of  our  key  generation 
and  encryption  algorithms.  In  terms  of  computation,  our  key  generation  algorithm 
requires  two  exponentiations  for  every  attribute  in  the  key  issued  to  the  user  and 
two  exponentiations  for  every  set  (including  recursive  sets  for  a  scheme  with  levels 
>  2)  in  the  key.  In  terms  of  key  size,  the  private  key  contains  two  group  elements 
per  attribute  and  one  group  element  per  attribute  set.  Compared  to  BSW  the 
additional  key  generation  cost  is  two  exponentiations  for  every  attribute  set  in  terms 
of  computation  and  one  group  element  per  attribute  set  in  terms  of  size.  Encryption 
involves  two  exponentiations  per  leaf  node  in  the  tree  and  one  exponentiation  per 
translating  node  in  the  tree.  The  ciphertext  contains  two  group  elements  per  leaf 
node  and  one  group  element  per  translating  node.  Compared  to  BSW  the  additional 
cost  is  one  exponentiation  per  translating  node  in  terms  of  computation  and  one 
group  element  per  translating  node  in  terms  of  size.  The  cost  of  decrypting  a  given 
ciphertext  however  varies  depending  on  the  key  used  for  decryption.  Even  for  a 
given  key  there  might  be  multiple  ways  to  satisfy  the  associated  access  tree.  The 
decrypt  algorithm  needs,  1)  two  pairings  for  every  leaf  node  used  to  satisfy  the  tree, 
2)  one  pairing  for  every  translating  node  on  the  path  from  the  leaf  node  used  to  the 
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root  and  3)  one  exponentiation  for  every  node  on  the  path  from  the  leaf  node  to  the 
root.  However,  by  employing  the  optimization  technique  of  flattening  the  recursive 
calls  to  DecryptNode,  as  described  in  BSW  [10]  albeit  modified  to  accommodate 
translating  nodes,  we  can  reduce  the  cost  to  1)  two  pairings  and  one  exponentiation 
per  leaf  node  used  and  2)  one  pairing  and  one  exponentiation  per  translating  node 
on  the  path  from  a  used  leaf  node  to  the  root.  Compared  to  BSW  the  additional 
cost  is  one  pairing  and  one  exponentiation  per  translating  node  on  the  path  from  a 
used  leaf  node  to  the  root.  In  a  multi-level  (level  >  2)  instantiation  the  overhead 
will  be  per  translation  rather  than  per  translating  node  as  multiple  translations  may 
be  needed  at  a  given  translating  node  for  such  instantiations. 

3.6  Implementation 

We  have  implemented  a  two-level  CP-ASBE  scheme  with  an  optimized  decryp¬ 
tion  function.  Our  implementation  leverages  the  epabe  toolkit  (http://acsc.csl. 
sri.com/cpabe/)  developed  for  BSW  which  uses  the  Pairing-Based  Cryptography 
library  (http://crypto.stanford.edu/pbc/).  The  interface  for  the  epasbe  toolkit 
is  similar  to  that  of  epabe  toolkit  and  is  as  follows: 

epasbe-setup  Generates  a  public  key  and  a  master  key. 

epasb  e-keygen  Given  a  master  key,  generates  a  private  key  for  a  given  set  of 
attributes;  compiles  numerical  attributes  into  ’bag  of  bits’  representation  and 
treats  the  resulting  attributes  as  a  ’set’. 
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cpasbe-enc  Given  a  public  key,  encrypts  a  file  under  a  given  access  policy;  numer¬ 
ical  comparisons  in  the  policy  are  represented  by  access  sub-trees  comprising 
’bag  of  bits’  representation  of  the  numerical  attribute  with  the  root  node  of 
the  sub-tree  treated  as  a  translating  node. 

cpasb e-dec  Decrypts  a  hie,  given  a  private  key. 

The  cpasbe  toolkit  is  similar  to  cpabe  toolkit  in  that  it  supports  numerical  attributes 
and  range  queries  (he.,  numerical  comparisons)  in  access  policies.  However,  unlike 
in  cpabe  toolkit,  numerical  attributes  in  cpasbe  are  treated  as  sets  and  thus  cpasbe 
toolkit  supports  multiple  numerical  value  assignments  to  a  given  attribute  in  a  single 
private  key.  Thus  a  user  with  a  private  key  generated  using  the  following  command 
cannot  claim  any  score  other  than  33  and  30. 

$  cpasbe-keygen  -o  tom-priv-key  pub-key  master-key  ’score=33’  ’score=30’  tom 
An  initial  performance  evaluation  of  two-level  CP-ASBE  using  this  implemen¬ 
tation  is  discussed  in  Section  5.1.3. 
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Chapter  4 


Data  Sharing  Based  on  Private,  Context  Sensitive  Policies 

In  many  scenarios,  data  sharing  is  based  on  policies  that  include  contextual 
information.  The  scenario  we  consider  is  data  sharing  in  the  electric  power  grid 
where  power  system  operators  need  to  cooperate  with  each  other  to  operate  the 
grid  safely  and  reliably  but  they  also  compete  with  each  other  as  business  entities. 
Increasing  power  consumption  and  major  recent  events  such  as  the  August  2003 
blackout  [73]  means  the  system  operators  are  compelled  to  share  sensitive  data 
to  improve  the  reliability  of  the  grid  through  wide  area  measurement,  monitoring 
and  control.  In  deregulated  grids  worldwide  and  in  the  North  American  grid  in 
particular,  utilities  share  sensitive  data  with  their  local  Reliability  Coordinators 
(RCs)  as  required  by  regulatory  laws.  However,  they  might  not  be  comfortable 
disclosing  sensitive  data  to  other  entities  except  under  certain  conditions  including 
transient  conditions  in  the  grid  at  the  time  of  access.  For  example,  Utility  A  might 
be  willing  to  share  certain  data,  1)  with  some  utilities  right  away  while  with  others 
only  after  four  hours  have  elapsed  since  the  data  is  generated  or  2)  with  any  Utility 
X  under  the  jurisdiction  of  RC  B  during  a  frequency  or  voltage  disturbance.  In 
many  cases  it  is  the  context-based  policy  that  drives  the  data  sharing  while  the 
number  or  recipients  or  their  identities  may  not  be  known  in  advance.  Interestingly, 
it  is  not  just  the  data  that  is  sensitive  but  also  the  policies  for  sharing  the  data. 
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For  example,  if  the  second  policy  rule  in  the  example  above  involving  the  context 
of  a  major  transmission  disturbance  were  to  be  in  clear-text  then  anyone  observing 
significant  network  traffic  with  that  policy  might  be  able  to  conclude  that  a  major 
event  has  occurred.  This  could  result  in  negative  publicity,  loss  of  market  revenue 
or  an  increase  in  attacks  for  Utility  A.  In  general,  policies  may  be  sensitive  because 
they  directly  contain  sensitive  information,  reveal  information  about  underlying 
data  protected  by  the  policy  or  reveal  information  about  the  data  owner  or  the  data 
recipients. 

An  effective  approach  for  addressing  requirements  for  the  power  grid  data  shar¬ 
ing  problem  requires  techniques  that  go  beyond  the  capabilities  of  today’s  solutions 
in  the  area.  Specifically,  there  is  a  need  for  policy-based  data  sharing  techniques 
that  support  1)  multiple  recipients,  2)  data  and  policy  secrecy  and  3)  context-based 
policy  enforcement.  Furthermore,  in  order  to  be  practical,  techniques  with  these 
properties  must  be  efficient  (in  terms  of  key  management),  support  flexible  policy 
specifications,  be  secure  in  the  presence  of  active  adversaries,  and  be  compatible 
with  existing  distributed  networking  and  systems  technologies.  Past  work  in  this 
area  has  addressed  only  a  subset  of  these  problems.  Identity  Based  Encryption 
(IBE)  [16]  systems  and  policy-based  cryptographic  schemes  proposed  in  [2,  8]  allow 
the  association  of  a  flexible  policy  with  objects  and  support  exchange  in  open  dis¬ 
tributed  systems  but  do  not  keep  the  policy  secret  and  are  designed  for  two-party 
communication  where  the  sender  identifies  the  recipient  in  the  encryption.  Several 
works  in  the  area  of  “hidden  policies  and  credentials”  [18,  33,  48]  provide  message 
and  policy  secrecy  but  focus  on  two-party  interactions.  Attribute  Based  Encryption 
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(ABE)  systems  such  as  Ciphertext-Policy  ABE  (CP-ABE)  [10,  24,  36,  49]  including 
our  CP-ASBE  scheme  and  cryptographic  hie  system  FS Guard  [69]  allow  the  associ¬ 
ation  of  flexible  policies  with  objects  for  multiple  recipients  defined  by  those  policies 
and  support  exchange  in  open  distributed  systems  but  do  not  provide  policy  secrecy 
and  cannot  support  context-based  policies.  Recent  work  by  [55]  extends  CP-ABE 
to  support  policy  secrecy  but  significantly  limits  it’s  policy  flexibility  and  does  not 
support  context-based  policies.  Predicate  Encryption  scheme  proposed  in  [43]  also 
allows  the  association  of  flexible  policies  with  objects  for  multiple  recipients  defined 
by  those  policies,  supports  exchange  in  open  distributed  systems  and  provides  pol¬ 
icy  secrecy  but  does  not  support  context-based  policies.  PEAPOD  [42]  focuses  on 
one-to-many  messaging  with  both  message  and  policy  secrecy  but  does  not  provide 
efficient  key  management  and  is  also  vulnerable  to  collusion  attacks.  Policy-based 
cryptography  scheme  in  [7]  is  also  vulnerable  to  collusion  attacks. 

In  this  chapter  we  develop  an  application-independent  Policy  Based  Encryp¬ 
tion  System  (PBES)  that  proposes  a  solution  to  this  new  problem  of  providing  all 
of  the  above-mentioned  properties.  We  first  build  a  new  encryption  scheme  PKEM- 
DEM  (Policy  and  Key  Encapsulation  Mechanism  -  Data  Encapsulation  Mechanism) 
for  encrypting  objects  and  policies  and  show  that  it  is  secure  against  adaptive  chosen 
ciphertext  attacks  in  the  random  oracle  model.  The  encryption  scheme  builds  on  re¬ 
cent  work  in  KEM-DEM  hybrid  encryption  schemes  [27].  In  addition  to  the  notions 
of  message  indistinguishability  and  policy  indistinguishability  we  define  and  prove 
a  new  notion  of  pairwise  indistinguishability  where  adversaries  need  to  distinguish 


52 


between  pairs  of  messages  and  policies1.  We  then  use  this  scheme  to  construct  the 
PBES  system  that  provides  the  three  properties  mentioned  above.  For  decryption 
PBES  utilizes  trusted  Key  Distribution  Centers  (KDC)s  that  mediate  decryption 
of  objects  for  recipients  and  enforce  the  policies  associated  with  the  objects.  We 
leverage  the  KDCs  for  policy  enforcement  and  provide  very  efficient  key  manage¬ 
ment  as  well  as  immediate  revocation.  We  then  discuss  design  issues  for  developing 
applications  using  PBES;  e.g.,  key  distribution  and  placement  of  trust  in  KDCs. 

PBES  employs  trusted  key  servers  and  from  a  systems  perspective  this  ap¬ 
proach  is  reasonable  for  regulated  environments  such  as  the  power  grid;  in  fact,  the 
grid  regularly  uses  trusted  servers  for  ensuring  reliability  and  security.  In  terms 
of  encryption  techniques  this  design  approach  first  made  it  seem  like  the  solution 
might  be  easy,  however,  it  turned  out  that  was  not  the  case.  We  looked  at  leading 
Public  Key  Infrastructure  (PKI),  Role-Based  Access  Control  (RBAC)  and  secure 
publish/subscribe  systems  that  typically  employ  trusted  servers  for  mediated  ac¬ 
cess  control  but  were  unable  to  satisfy  the  requirements.  Specifically,  the  require¬ 
ments  for  policy  secrecy  and  context-based  policy  enforcement  could  not  be  satisfied. 
PBES  satisfies  these  requirements  and  also  provides  efficiency,  security  and  flexibil¬ 
ity.  While  the  scheme  is  motivated  by  the  data  sharing  problem  in  the  power  grid, 
PBES  is  suitable  for  many  large-scale  systems  that  share  features  with  the  power 
grid.  Regulated  environments  such  as  medical  and  financial  information  systems  of¬ 
ten  employ  trusted  mediators  that  share  environmental  features  like  the  power  grid; 

examples  of  trusted  entities  include  Centers  for  Disease  Control  and  Prevention 
1A  similar  notion  is  independently  defined  and  used  by  [55]. 
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(CDC)  in  the  public  health  domain  and  the  Securities  and  Exchange  Commission  in 
the  financial  domain.  Even  outside  regulated  domains  suitable  application  domains 
include  those  where  domains  have  partial  trust  or  provide  auditing  capabilities  of 
the  services  provided  by  the  trusted  servers. 

The  rest  of  this  chapter  is  organized  as  follows.  In  Section  4.1  we  presents  our 
approach.  In  Section  4.2  we  present  the  notation  used  and  present  security  notions. 
In  Section  4.3  we  present  the  building  blocks  used  in  our  system.  In  Section  4.4  we 
present  our  policy  based  encryption  system  and  analyze  its  security  in  Section  4.5. 
In  Section  4.6  we  discuss  application  design  issues  when  using  PBES. 

4.1  Approach 

4.1.1  Related  Approaches 

An  ideal  solution  for  the  data  sharing  problem  in  the  power  grid  would  be 
one  that  does  not  require  trusted  servers  to  enforce  the  policy.  However  existing 
techniques  that  enforce  the  policy  cryptographically  and  provide  policy  secrecy  like 
CP-ABE  [55,  43]  are  not  adequate  as  they  cannot  support  flexible  context  based 
policies.  Furthermore,  the  power  grid  data  sharing  application  and  its  properties 
discussed  above  indicate  that  the  presence  of  a  Trusted  Third  Party  (TTP)  that 
enforces  access  control  is  acceptable  and  perhaps  even  needed.  The  RCs  and  In¬ 
dependent  System  Operators  (ISOs)  regularly  mediate  power  flow  and  markets  to 
keep  the  system  stable  and  provide  a  means  for  establishing  TTPs  for  access  control. 
With  a  TTP  the  problem  of  developing  an  appropriate  policy-based  data  sharing 


54 


solution  appears  within  reach  at  first  in  that  it  can  leverage  many  existing  tools 
and  technologies  already  developed  in  the  area.  However,  it  turns  out  that  none  of 
these  leading  technologies  can  satisfy  the  requirements  above.  In  particular,  they  are 
unable  to  efficiently  and  securely  provide  policy  secrecy  and  flexible  context-based 
policy  enforcement.  To  show  this  we  evaluate  the  suitability  of  Public  Key  Infras¬ 
tructure  tools,  Role-Based  Access  Control  systems,  and  secure  publish-subscribe 
event  dissemination  systems  and  and  discuss  their  shortcomings. 

PKI,  RBAC  and  context-based  policy  enforcement  .  Public  Key  Infras¬ 
tructure  (PKI)  tools  with  identity  and  attribute  certificates  provide  data  sharing 
between  parties  with  the  help  of  trusted  certificate  authorities.  One  can  design 
policy-based  data  sharing  solutions  where  a  combination  of  attributes  in  attribute 
certificates  are  used  to  specify  the  policy.  Unfortunately,  such  solutions  would  be 
vulnerable  to  collusion  and  would  also  fail  to  provide  policy  secrecy.  RBAC  sys¬ 
tems  take  PKI  one  step  forward  by  providing  a  level  of  indirection  between  users 
and  permissions.  They  achieve  this  by  assigning  users  to  roles  via  role  membership 
certificates  and  roles  to  permissions  for  access  control.  This  indirection  has  been  uti¬ 
lized  by  several  RBAC  solutions  such  as  OASIS  [5]  to  provide  context-based  policy 
enforcement  whereby  users  can  “activate”  their  roles  and  execute  operations  based 
on  the  assumed  role  permissions  only  if  certain  context /environment  policies  (as 
verified  by  trusted  access  control  servers)  are  satisfied.  If  we  attempt  to  extend  such 
solutions  to  address  the  requirements  specified  above  we  would  face  two  limitations. 
First,  in  order  to  ensure  policy  secrecy,  data  generators  would  have  to  specify  poli- 
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cies  at  every  access  control  server  over  secure  channels  for  every  data  distribution 
action.  Second,  specifying  multi-domain  contexts  for  policy  enforcement  may  im¬ 
pose  impractical  constraints  on  role  activation  because  users  may  need  special  roles 
dedicated  to  this  multi-domain  data  sharing  application. 

Secure  Publish  Subscribe  Systems  .  Pub/sub  systems  are  related  to  policy- 
based  data  sharing  systems  discussed  in  this  work  in  that  publishers  and  subscribers 
relate  to  data  generators  and  consumers,  and  brokers  in  the  pub/sub  infrastructure 
relate  to  servers  enforcing  access  control  policies.  Research  in  secure  pub/sub  sys¬ 
tems,  in  general,  and  those  that  provide  content  encryption,  in  particular,  offers  po¬ 
tential  solutions  to  the  problem  at  hand.  In  essence  techniques  for  encrypted  content 
distribution  via  pub/sub  systems  use  symmetric  keys  to  encrypt  events  with  selective 
attributes  and  then  employ  fully  or  partially  trusted  key  servers  to  distribute  those 
keys  to  subscribers  based  on  their  subscriptions.  To  allow  routing  for  encrypted 
content  these  schemes  may  share  keys  with  routers  [4]  expose  certain  attributes  in 
clear-text  for  routing  purposes,  or  use  encryption-matching  functions  [70].  Solutions 
such  as  [4]  carry  over  limitations  of  RBAC  systems  identified  above.  If  we  attempt  to 
use  a  secure  pub/sub  solution  like  [70]  for  our  application  we  again  face  limitations. 
First,  ensuring  policy  secrecy  for  a  flexible  policy  language  requires  publishers  and 
subscribers  to  maintain  a  large  number  of  keys  and  requires  the  system  to  maintain 
a  significant  amount  of  auxiliary  data  that  allows  mapping  of  policies  with  keys. 
Second,  the  solution  uses  time  epochs  for  coarse-grained  revocation  and  the  system 
would  have  to  be  significantly  enhanced  to  support  context-based  policies  that  may 
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E(°)  -  {Opkem.  Odem) 

where  Opkem  is  an  encapsulation  of  policy  pol  and  key  k,  and 
Oqem  is  an  encapsulation  of  object  o  with  key  k 


Figure  4.1:  Policy- based  Message  Encryption  and  Decryption 
need  ephemeral  keys  for  the  various  transient  events. 

4.1.2  Our  Approach  -  PBES 

The  above  analysis  is  not  intended  to  conclude  that  these  existing  technologies 
cannot  be  adapted  for  the  problem  at  hand.  Instead,  we  argue  with  this  analysis 
that  even  with  TTPs  solutions  to  this  problem  are  not  obvious.  To  address  this  we 
have  developed  the  PBES  system  with  a  high-level  architecture  described  in  Figure 
4.1.  The  approach  satisfies  the  requirements  of  Section  3  as  follows. 

The  system  is  illustrated  in  Figure  4.1  and  contains  five  main  components: 
the  data  owner/sender,  the  object  repository /relay,  the  Key  Distribution  Center 
(KDC),  the  attribute  database  and  the  data  receiver.  A  data  owner  in  our  system 
specifies  a  policy  pol  and  generates  a  data  object  o  (e.g.  file)  that  is  intended  for 
one  or  more  recipients  satisfying  the  policy.  The  sender  uses  an  encryption  scheme 
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to  encrypt  the  object  and  the  policy.  The  object  repository/relay  represents  any 
content  distribution  network,  for  example,  a  hie  server,  an  email  relay  or  a  publish- 
subscribe  system.  We  assume  that  the  encrypted  object  contains  sufficient  meta¬ 
data  to  allow  for  routing/searching  of  the  data  for  intended/interested  recipients 
but  that  does  not  reveal  the  policy;  e.g.,  keywords.  Since  the  object  is  encrypted 
the  repository/relay  need  not  be  trusted  to  protect  the  object  or  enforce  access 
control  on  it.  Recipients  obtain  the  encrypted  object  from  this  repository/relay 
via  available  pull/push  mechanisms.  Once  a  recipient  gets  the  encrypted  object  it 
contacts  the  KDC  to  obtain  the  object  decryption  key.  The  KDC  may  contact  an 
Attribute  Database  that  manages  user  attributes  and  privileges  and  keeps  track  of 
environmental  attributes.  The  Attribute  Database  abstracted  here  is  a  logical  entity 
and  in  practice  may  be  composed  of  multiple  databases/services. 

There  are  key  design  choices  here  that  affect  the  efficiency,  security,  flexibility 
and  compatibility.  We  require  that  the  object  and  the  policy  be  encrypted  and 
stored  together  but  that  they  be  separable  for  decryption  purposes.  This  improves 
efficiency  because  on  the  sender  side  the  sender  need  not  specify  the  policy  at  mul¬ 
tiple  servers  (KDCs)  that  may  be  trusted  with  policy  enforcement  and  on  the  the 
receiver  side  the  receiver  need  not  send  the  encrypted  object  (which  could  be  large) 
to  the  KDC  for  policy  enforcement  and  decryption.  We  associate  the  object  and 
policy  with  a  key  rather  than  generate  the  key  from  the  policy.  This  allows  for 
considerable  flexibility  and  compatibility  as  any  policy  language  may  be  used;  e.g., 
one  that  is  already  used  by  the  application  for  other  purposes.  While  there  are  a 
range  of  potential  languages  and  tools  we  believe  that  tools  based  on  XACML  are 


a  good  candidate  for  PBES.  The  approach  for  associating  data  and  policies  with 
keys,  however,  imposes  the  need  for  an  encryption  scheme  that  is  secure  against 
active  adversaries.  In  the  absence  of  this  adversaries  may  be  able  to  manipulate  the 
encrypted  objects  and  policies  stored  at  the  repository  in  unauthorized  ways;  e.g., 
associate  a  new  object  with  an  existing  policy  or  vice-versa.  To  that  end  we  develop 
a  PKEM-DEM  hybrid  encryption  that  provides  adequate  security  for  PBES. 

4.2  Notation  and  Security  Notions 

We  first  introduce  some  common  notation  used  throughout  this  chapter.  We 
then  define  formal  notions  of  security  for  a  policy-based  encryption  scheme  for  mul¬ 
tiple  recipients  with  policy  secrecy. 

Notation  Bit  strings  are  denoted  using  small  case  letters,  x ,  and  the  length  of 
such  strings  is  denoted  by  |x|.  Sets  are  denoted  using  capital  case  letters,  S,  and  the 
size  of  the  such  sets  is  denoted  by  |Sj.  s  <—  S  denotes  the  operation  of  picking  an 
element  s  of  S  uniformly  at  random.  Adversaries  are  represented  by  probabilistic 
polynomial-time  (PPT)  algorithms  A.  u  A(oti,  a2,  ■  ■  ■  oik )  denotes  the  action  of 
running  the  PPT  algorithm  A  with  input  (aq,  a2,  ■  ■  ■  oik )  and  letting  v  be  the  output. 
A~>1'°2’-’°l(ai,  a2t. ... .  ak)  denotes  a  PPT  adversary  with  input  (oq,  aq,  ■  ■  •  «&)  and 
access  to  oracles  0\,02, . . .  ,Oi.  Let  £  denote  a  policy-based  encryption  scheme  for 
multiple  recipients  with  policy  secrecy. 

Given  that  we  want  to  protect  both  message  and  policy  secrecy  we  define 
the  notions  of  message  indistinguishability  and  policy  indistinguishability  against 
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Figure  4.2:  Encryption  in  PKEM-DEM  scheme  instantiated  using  RSA-KEM  and 


DEMI 

adaptive  chosen  ciphertext  attacks  similar  to  the  ones  defined  in  [42], 


Definition  4.1.  Message  Indistinguishability 

£  has  message  indistinguishability  against  an  adaptive  chosen  ciphertext  attack 
if  the  guessing  advantage,  of  any  PPT  adversary,  A  =  (Mi,  M2),  as  defined  below  is 
negligible. 
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where  G£  _fnsg  ind  cca2(k )  is  the  game  described  below: 


Setup  The  environment  generates  a  key-pair  ( sk,pk )  and  gives  pk  to  A. 
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Phase  1  A\  is  provided  with  a  decryption  oracle  for  £  with  above  generated  key- 
pair.  It  is  also  allowed  to  arbitrarily  and  adaptively  add/corrupt  users.  That  is 
it  can  get  access  to  arbitrary  sets  of  attributes  represented  by  corrupted  users 

Ui . 

Challenge  A\  outputs  two  messages,  mo,  mi  of  equal  length,  a  policy  p  of  his 
choice  and  some  state  information  St  with  the  following  restriction: 
Restriction  1:  None  of  the  corrupted  users  satisfy  the  policy  p  throughout  the 
game. 

The  environment  then  picks  a  random  bit,  b  {0, 1},  and  encrypts  message 
mb  under  policy  p  and  returns  the  challenge  ciphertext  C*  along  with  St  to 

A2  ■ 

Phase  2  A2  is  provided  with  a  decryption  oracle  for  £  with  above  generated  key-pair 
and  is  allowed  to  do  everything  A\  is  allowed  in  Phase  1  with  the  constraint 
that  Restriction  1  must  be  satisfied  and  that  it  cannot  query  the  decryption 
oracle  on  C* . 

Output  A2  outputs  his  guess  b'  €  {0, 1}.  A  wins  if  b'  =  b. 

That  is,  an  adversary  cannot  distinguish  between  encryptions  of  two  messages 
under  a  given  policy.  Restriction  1  is  needed  because  otherwise  the  adversary  can 
trivially  win  the  game  by  decrypting  the  challenge  ciphertext  as  he  has  access  to 
keying  material  of  a  user  who  satisfies  the  policy. 

Definition  4.2.  Policy  Indistinguishability 
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£  has  policy  indistinguishability  against  an  adaptive  chosen  ciphertext  attack 
if  the  guessing  advantage,  of  any  PPT  adversary,  A  =  (Ai,A2),  as  defined  below  is 
negligible. 
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(k)  is  the  game  described  below: 


Setup  The  environment  generates  a  key-pair  ( sk,pk )  and  gives  pk  to  A. 


Phase  1  Ai  is  provided  with  a  decryption  oracle  for  £  with  above  generated  key- 
pair.  It  is  also  allowed  to  arbitrarily  and  adaptively  add/corrupt  users.  That  is 
it  can  get  access  to  arbitrary  sets  of  attributes  represented  by  corrupted  users 

Ui . 


Challenge  A\  outputs  state  information  St,  a  message,  m,  and  two  policies  po, 
Pi  of  equal  length  satisfying  one  of  the  following  restrictions: 

Restriction  2a:  All  of  the  corrupted  users  satisfy  both  policies  po  and  p\ 
throughout  the  game.  OR 

Restriction  2b:  None  of  the  corrupted  users  satisfy  either  policy  po  or  policy 
Pi  throughout  the  game. 

The  environment  then  picks  a  random  bit,  b  A-  {0, 1},  and  encrypts  message 
m  under  policy  pb  and  returns  the  challenge  ciphertext  (C*)  along  with  St  to 

A‘2  ■ 
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Phase  2  M2  is  provided  with  a  decryption  oracle  access  for  £  and  is  allowed  to  do 
everything  Mi  is  allowed  in  Phase  1  with  the  constraint  that  either  Restriction 
2a  or  2b  must  be  satisfied  and  that  it  cannot  query  the  decryption  oracle  on 
C*. 

Output  A2  outputs  his  guess  b'  e  {0, 1}.  A  wins  if  b'  =  b. 

That  is,  an  adversary  cannot  distinguish  between  encryptions  of  a  given  mes¬ 
sage  under  two  policies.  Restriction  2a  or  2b  is  needed  because  otherwise  the  ad¬ 
versary  can  trivially  win  the  game  by  picking  two  policies  such  that  he  (be.,  one  of 
the  corrupted  users)  satisfies  one  of  them  and  not  the  other. 

We  now  define  a  security  notion  called  pairwise  indistinguishability  for  pairs 
(mo,po/o),  ( mi, poll )  which  is  motivated  by  the  following  scenario.  Let  us  say  an 
adversary  knows  that  either  message  “Buy”  is  encrypted  under  policy  “Aggressive” 
or  message  “Sell”  is  encrypted  under  policy  “Moderate”  (where  “Aggressive”  and 
“Moderate”  are  known  investor  profiles)  but  doesn’t  know  which  action  is  being 
recommended  by  a  paid  investment  service. 

Definition  4.3.  Pairwise  Indistinguishability 

£  has  pairwise  indistinguishability  against  an  adaptive  chosen  ciphertext  attack 
if  the  guessing  advantage,  of  any  PPT  adversary,  A  =  (Mi,  M2),  as  defined  below  is 
negligible. 
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where  Q££-Pw-md-cca2  (&)  fjhe  game  described  below: 

Setup  The  environment  generates  a  key-pair  ( sk,pk )  and  gives  pk  to  A. 

Phase  1  A\  is  provided  with  a  decryption  oracle  for  £  with  above  generated  key- 
pair.  It  is  also  allowed  to  arbitrarily  and  adaptively  add/corrupt  users.  That  is 
it  can  get  access  to  arbitrary  sets  of  attributes  represented  by  corrupted  users 

Ui. 

Challenge  A  outputs  two  messages,  m0,  mi,  of  equal  length  and  two  policies  p0, 
pi,  of  equal  length  along  with  state  information  St  under  the  following  restric¬ 
tion: 

Restriction  3:  None  of  the  corrupted  users  satisfy  either  policy  po  orp\  through¬ 
out  the  game. 

The  environment  then  picks  a  random  bit,  b  {0, 1},  and  encrypts  message 
mb  under  policy  pb  and  returns  the  challenge  ciphertext  {C*)  along  with  state 
information  St  to  A 2. 

Phase  2  Ai  is  provided  with  a  decryption  oracle  for  £  and  is  allowed  to  do  every¬ 
thing  A\  is  allowed  in  Phase  1  with  the  constraints  that  Restriction  3  must  be 
satisfied  and  that  it  cannot  query  the  decryption  oracle  on  C* . 

Output  A2  outputs  his  guess  b'  e  {0, 1}.  A  wins  if  b'  =  b. 

That  is,  an  adversary  cannot  distinguish  between  encryptions  of  two  message 
and  policy  pairs.  Restriction  3  is  needed  because  otherwise  the  adversary  can  triv¬ 
ially  win  the  game  by  decrypting  the  challenge  ciphertext  as  he  has  access  to  keying 
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material  of  a  user  who  satisfies  the  policy.  By  definition,  pairwise  indistinguish- 
ability  implies  message  indistingnishability  (when  both  policies  are  the  same)  and 
policy  indistingnishability  with  restriction  2b  (when  both  messages  are  the  same) 
and  hence  is  a  stronger  notion  of  security.  Furthermore,  we  note  that  using  stan¬ 
dard  hybrid  argument  one  can  show  that  message  indistingnishability  together  with 
policy  indistinguishability  (with  restriction  2b)  imply  pairwise  indistingnishability. 
In  all  the  above  definitions  the  adversary  is  allowed  to  corrupt  multiple  users  and 
obtain  their  keying  material  thus  user-collusion  attacks  are  taken  into  account. 

4.3  Building  Blocks 

Our  encryption  scheme  is  based  on  the  KEM-DEM  hybrid  encryption  para¬ 
digm.  We  now  introduce  some  crypto  primitives  that  will  be  used  to  build  our 
scheme  and  define  associated  security  notions. 

4.3.1  Key  Encapsulation  Mechanism 

A  public-key  based  key  encapsulation  mechanism  (KEM),  consists  of  the 
following  three  algorithms:  KEM.KeyGen,  KEM. Encrypt  and  KEM. Decrypt. 
KEM.KeyGen  is  a  PPT  algorithm  that  takes  as  input  a  security  parameter,  fceN, 
and  outputs  a  key  pair  ( sk,pk ),  i.e.,  ( sk,pk )  KEM.KeyGen(lk).  KEM. Encrypt 
is  a  PPT  algorithm  that  takes  as  input  a  security  parameter,  k  €  N,  and  a 
public-key,  pk,  generated  by  KEM.KeyGen  and  outputs  a  pair  (. K,C ),  where  K  e 
(0,  i}KEM-KevLen(k)  is  a  key,  KEM.KeyLen(k )  is  key-length  and  C  is  a  ciphertext, 
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i.e.,  (. K ,  C)  K E M .Encrypt(lk , pk) .  KEM. Decrypt  is  a  deterministic  polynomial- 
time  algorithm  that  takes  as  input  a  secret-key,  sk,  and  ciphertext,  C,  and  returns 
either  a  key  K  or  a  rejection  symbol  _L,  i.e.,  {K,  _L}  *—  K E M .Decrypt (sk,  C ).  For 
correctness,  we  require  that  V/e  e  N,  and  V( sk,pk )  KEM.KeyGen(lk )  we  have 
KEM.Decrypt(sk,C )  =  Jl  for  any  (K,C)  KEM.Encrypt(lk ,pk). 

We  define  the  notion  of  indistinguishability  for  KEMs  against  an  adaptive 
chosen  ciphertext  attack  (CCA2)  as  established  in  [27]. 

Definition  4.4.  Let  A  =  (A\,A?)  be  a  PPT  CCA2  adversary.  We  define  the 
guessing  advantage  of  A  as  follows: 

Advk"i~cca2(k)  =  | Pr  [G KEM,A~CCa2(k)  =  b]  ~  1/2| 

where 

Game  Gk~J~cca2(k) 

(sk,  pk')  4  K EM. K eyGen ( 1 fc ) ;  St  4-  A?EC{\pk) 

b  4-  {0,  1};  K*  4  {0,  1  j. KEM.KeyLen(k) 

(K*,C*)  4  KEM. Encrypt (lk ,pk)-,  K*  K*b 
b'  4-  An/jC(:)(pk,  C*,  K*,  St);  Return  b' 

and  oracle  DEC(.)  is  defined  as  KEM.Decrypt(sk, .)  with  the  condition  that  the 
oracle  rejects  queries  on  C*  after  the  target  ciphertext  is  given  to  the  adversary. 

That  is,  given  a  ciphertext  and  key  pair  an  adversary  cannot  tell  whether  the 
given  key  is  the  one  encapsulated  by  the  ciphertext  or  a  random  one. 
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4.3.2  Data  Encapsulation  Mechanism 


A  data  encapsulation  mechanism  (DEM)  is  a  symmetric  key  encryption  scheme 
and  consists  of  the  following  three  algorithms:  DEM.KeyGen,  DEM. Encrypt  and 
DEM. Decrypt.  DEM.KeyGen  is  a  PPT  algorithm  that  takes  as  input  a  secu- 
rity  parameter,  k  G  N,  and  outputs  a  key  K,  i.e.,  K  <—  DEM.KeyGen(lk). 
DEM. Encrypt  is  a  polynomial-time  algorithm  that  takes  as  input  a  message  ,  m, 
and  a  key,  K,  generated  by  DEM.KeyGen  and  outputs  a  ciphertext  C,  i.e.,  C  <— 
DEM. Encrypt(m,  K).  DEM. Decrypt  is  a  deterministic  polynomial-time  algorithm 
that  takes  as  input  a  key,  K,  and  ciphertext,  C,  and  returns  either  the  message  m 
or  a  rejection  symbol  _L,  i.e.,  {m,  _L}  DEM.Decrypt{K,C).  For  correctness,  we 
require  that  V/c  e  N,  V/l  M-  DEM.KeyGen(lk )  and  Vm  we  have 

D E M. D eery pt (K,  DEM. Encrypt{m,  K))  =  m 

We  define  the  notion  of  indistinguishability  for  a  DEM  against  a  one-time 
attack  (OT)  and  a  one-time  adaptive  chosen  ciphertext  attack  (OTCCA)  as  estab¬ 
lished  in  [27]. 

Definition  4.5.  Let  A  =  (Mi, M2)  be  a  PPT  adversary.  We  define  the  guessing 
advantage  of  A  as  follows: 

Ad vdDEMX~atk(k)  =  |  Pr  [G demX^^)  =  b]  ~  V2| 
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where 


Game  G d^$~atk{k) 

K  4  DEM. K eyGen(lk)i  (St,mQ,m i)  4-  Ai( lk) 

b  4  {0, 1};  C*  4  D EM. Encrypt (mb ,  /l ) 

67  4  A?EC(-\C*,Sty,  Return  b' 

and  oracle  DEC(.)  is  defined  as  e  in  the  OT  attack  case  and  as  DEM.Decrypt(K, .) 
in  the  OTCCA  case  with  the  condition  that  the  oracle  rejects  queries  on  C*  after 
the  target  ciphertext  is  give  to  the  adversary. 

That  is,  an  adversary  cannot  distinguish  between  the  encryption  of  two  mes¬ 
sages.  Note  that  A\  does  not  have  access  to  an  encryption  oracle  as  this  is  a  one-time 
scheme,  i.e.,  the  key  is  used  for  only  one  encryption. 

KEM-DEM schemes  are  hybrid  encryption  schemes  where  the  key  generated  by 
the  KEM  scheme  is  used  by  the  DEM  for  data  encapsulation.  KEM-DEM  schemes 
were  shown  to  be  secure  [67,  38,  27].  The  result  is  stated  in  the  following  theorem. 

Theorem  4.1.  If  KEM  is  secure  against  an  adaptive  chosen  ciphertext  attacks  and 
DEM  is  secure  against  one-time  adaptive  chosen  ciphertext  attacks  then  the  hybrid 
encryption  scheme  KEM-DEM  is  secure  against  adaptive  chosen  ciphertext  attacks. 
Specifically,  if  A  is  a  PPT  adversary,  then  there  exist  PPT  adversaries  B\  and  £>2, 
whose  running  times  are  essentially  the  same  as  that  of  A,  such  that  for  all  k  <G  N. 


we  have 


a  j  kem—dem—ind—cca2  /  k\  _ 

^uv KEM-DEM,A  W  ~ 

A  r\'kem-ind~cca2  (  u\  I  a  j  dem-ind-otcca  (  i\ 

Aav  KEM,Bi  \K)  +  Aav DEM,B2 

4.3.3  Policy  and  Key  Encapsulation  Mechanism 

A  policy  and  key  encapsulation  mechanism  (PKEM)  is  an  encapsulation  mech¬ 
anism,  which  we  define  to  encapsulate  both  a  key  and  a  policy.  Similar  to  a  KEM  a 
PKEM  consists  of  three  algorithms,  namely,  PKEM.KeyGen,  PKEM. Encrypt  and 
PKEM. Decrypt  and  it  provides  the  following  interface.  PKEM.KeyGen  is  a  PPT 
algorithm  that  takes  as  input  a  security  parameter,  k  G  N,  and  outputs  a  key  pair 
(. sk,pk ),  he.,  ( sk,pk )  PKEM. Key Gen(lk).  PKEM. Encrypt  is  a  PPT  algorithm 
that  takes  as  input  a  bit  string  from  the  message  space  (interpreted  as  a  policy), 
pol,  and  a  public-key,  pk,  generated  by  PKEM.KeyGen  and  outputs  a  pair  (. K,C ), 
where  K  6  (0,  i}PKEM  KevLen(k)  is  a  key  ( KEM.KeyLen(k )  is  key-length)  and  G  is 
a  ciphertext,  i.e.,  ( K,C )  K  E  M.  Encrypt  (pk,  pol).  PKEM. Decrypt  is  a  determin¬ 
istic  polynomial-time  algorithm  that  takes  as  input  a  secret-key,  sk ,  and  ciphertext, 
C',  and  returns  either  key  and  policy  pair  ( K,pol )  or  a  rejection  symbol  _L,  i.e., 
{(K,pol),_ !_}  P KEM. Dear ypt(sk,C).  For  correctness,  we  require  that  Wk  G  N, 
and  \/(sk,pk )  KEM.KeyGen(lk )  we  have  PKEM.Decrypt(sk,C )  =  ( K,pol ) 

for  any  ( K,C )  PK  E  M.  Encrypt  (pk,  pol). 

Given  that  a  PKEM  encapsulates  both  a  key  and  policy  we  define  two  notions 
of  indistinguishability  for  a  PKEM  against  an  adaptive  chosen  ciphertext  attack, 
viz ,  fee?/  indistinguishability  and  policy  indistinguishability.  We  define  each  of  them 
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as  follows. 


Definition  4.6.  Key  Indistinguishability.  Let  A  =  {A11A2)  be  a  PPT  CCA2 
adversary.  We  define  the  guessing  advantage  of  A  as  follows: 

Advpfcem_fcey_ind_cca2  ( A;)  =  Pr  QPkem~key~ind~cca2  =  5  —\/2 

where 

p  (~ipkem—key—ind—cca2/i\ 

^ame  L tpkem,a  W  : 

(sk,pk)  4  PKEM.KeyGen{ lfe);  (S^poZ)  4  ^fEC(0(pA;) 

6  4-  {0, 1};  K*  4  {0, 1}KEM-Ke2/Le"(fe) 

4-  PK EM. Encrypt (pk ,pol);  K*  4  K£ 
b'  4  A2EC{-\pk ,  <7*,  K*,  St);  Return  b' 

and  oracle  DEC(.)  is  defined  as  PK  EM.  Decry  pt(sk, .)  with  the  condition  that  the 
oracle  rejects  queries  on  C*  after  the  target  ciphertext  is  given  to  the  adversary. 

Definition  4.7.  Policy  Indistinguishability.  Let  A  =  (Ai^A'f)  be  a  PPT  CCA2 
adversary.  We  define  the  guessing  advantage  of  A  as  follows: 

A  ri,.pkem-pol-ind.-cca2 1 1\  _  p  (~ipkem-pol-ind,-cca2  /  i\  _  ,  i  /o 

Aav  PKEM,  A  W)  ~  17  ^  PKEM, A  \K)  ~  0  i/z 

where 

Game  G^™^-ind_c“2(fc)  : 

(sk,pk)  4  PKEM.KeyGen( 4);  (St,pol0,pok)  4 
b  4  {0, 1};  (K*,  (7*)  4  PKEM. Encrypt (pk,polb) 
b'  4  A%EC^(pk,  (Ji*,  (7*),  <S7);  Return  b' 
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and  oracle  DEC(.)  is  defined  as  PK EM. Decry pt(sk, .)  with  the  condition  that  the 
oracle  rejects  queries  on  C*  after  the  target  ciphertext  is  given  to  the  adversary. 

A  symmetric-key  based  PKEM  (SPKEM)  is  similar  to  the  public-key  based 
PKEM  described  above  except  that  a  symmetric  key  is  used  instead  of  the  asymmet¬ 
ric  key-pair.  Notions  of  key  and  policy  indistinguishability  for  SPKEM  are  defined 
similarly  to  that  of  PKEM  except  that  they  are  defined  for  an  OTCCA  adversary, 
i.e.,  the  adversary  doesn’t  get  access  to  encryption  oracle  in  the  first  phase.  We 
construct  a  SPKEM  using  a  DEM  as  shown  below  and  then  build  a  PKEM  using 
SPKEM  and  KEM. 


SPKEM. Encrypt (poZ,  K)  : 
K'  4  DEM.KeyGen(lk) 
m!  <—  pol\\K' 

C  <—  DEM.Encrypt(m'  ,K) 
Return  ( K',C ) 


SPKEM. Decrypt(/i,  C))  : 

m!  <—  DEM.DecryptfK,  C ) 
if  m!  =_L  or  parsing  m 
as  pol  1 1 K'  fails  return  _L 
else  Return  ( pol,K' ) 


where  K  is  generated  by  D E M .K eyGen(lK) . 

This  scheme  is  secure  against  OTCCA  attacks  on  key  and  policy  indisting- 
uishability  as  stated  by  the  following  theorems. 

Theorem  4.2.  If  DEM  is  secure  against  one-time  adaptive  chosen  ciphertext  attacks 
(OTCCA)  on  (message)  indistinguishability  then  SPKEM  is  secure  against  one-time 
adaptive  chosen  ciphertext  attacks  (OTCCA)  on  key  indistinguishability. 
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In  particular,  for  every  PPT  adversary  A,  there  exists  a  PPT  adversary  B  whose 
running  time  is  essentially  the  same  as  that  of  A  such  that  for  all  k  G  N,  we  have 

A  A„spkem-key-ind-cca2  /  _  *  j  dem-ind-cca2  ( i\  ( A 

SPKEM,  A  \K>  ~  AavDEM,B  \K > 

Proof  of  Theorem  f.2.  Adversary  B  runs  adversary  A  and  accurately  simulates  a 
SPKEM  game  environment  as  follows.  When  A  outputs  a  policy  pol  and  requests 
challenge  key  and  ciphertext  pair,  (K*,C*),  B  does  the  following,  ft  generates  two 
random  keys  A'o  and  K\  for  the  underlying  DEM  scheme  and  creates  two  messages 
m0  =  pol  1 1 K0  and  rn i  =  pol\\Ki  and  outputs  them  to  its  DEM  game  environment 
and  gets  the  challenge  ciphertext  C*  =  DEM.  Encrypt  (nib ,  K)  back.  B  gives  A  the 
following  challenge  key  and  ciphertext  pair  (K\,C*).  B  forwards  any  decryption 
queries  A  has  to  the  decryption  oracle  it  has  access  to  and  parses  the  output  as 
pol\\K  before  returning  it  A.  B  outputs  the  guess  bit  that  A  outputs.  Note  that 
when  b  —  1,  A  gets  the  real  key  and  when  b  =  0,  A  gets  the  random  key.  So  if  A 
outputs  1  when  b  —  1  or  if  A  outputs  0  when  6  =  0  then  A  is  successful  by  design. 
Success  probability  of  adversary  B ,  Pr[Advd^fff^d~otcca(k)  =  b]  is, 

=  1/2  •  Pr[Adv^e“d-°teca(A;)  =  1| b  =  1]  + 

1/2  •  Pr[AAvd™^d-°tcca(k)  =  0|6  =  0] 

=  1/2  •  Pr[Adwsi^-^eXind-otcca(k)  =  l\b  =  1]  + 

1/2  ■  Pr[Adws^-^eXind~°tcca(k)  =  0|6  =  0] 

=  Pr[Adwsi^-^eXind-otcca(k)  =  b] 

□ 
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Theorem  4.3.  If  DEM  is  secure  against  one-time  adaptive  chosen  ciphertext  attacks 
(OTCCA)  on  (message)  indistinguishability  then  SPKEM  is  secure  against  one-time 
adaptive  chosen  ciphertext  attacks  (OTCCA)  on  policy  indistinguishability. 

In  particular,  for  every  PPT  adversary  A,  there  exists  a  PPT  adversary  B  whose 
running  time  is  essentially  the  same  as  that  of  A  such  that  for  all  k  G  N,  we  have 

A  r\  spkem—pol—ind—cea2/ 1  \  _  ».  j  dem-ind-cca2  / 1\  (a  r>\ 

AQV SPKEM,  A  ~  AawDEM,B  \K >  A-z) 

Proof  of  Theorem  f.3.  Adversary  B  simply  runs  A.  On  receiving  poll  and  pol 2  from 
A,  B  generates  a  random  key,  K* ,  for  the  underlying  DEM  scheme,  sends  pol\\\K* 
and  poOWK*  to  its  DEM  game  environment  and  returns  the  target  ciphertext  it 
receives  to  A.  For  decryption  queries  from  A,  B  queries  its  own  decryption  oracle, 
parses  the  reply  (if  not  _L)  as  pol  and  K  and  returns  it  to  A.  When  A  outputs  a 
guess  B  outputs  the  same  value.  Clearly,  B  accurately  simulates  the  SPKEM  game 
environment  for  A.  Thus  any  advantage  A  has  in  breaking  policy  indistinguishability 
of  SPKEM  is  translated  into  advantage  in  breaking  (message)  indistinguishability 
of  DEM.  □ 

We  now  construct  a  PKEM  scheme  using  a  SPKEM  and  a  KEM  as  follows: 
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PKEM. Decrypt  (sA;,  C)  : 


PKEM.KeyGen(lfc)  : 

(sk,pk)  4  K  EM.  Key  Gen(lk) 

Return  ( sk,pk ) 
PKEM.Encrypt(poZ,pA;)  : 

(A'i,Ci)  4  K E M .Encrypt. (lk , pk) 

(. K2,C2 )  £  SPKEM.Encryptfpol ,K\) 

C<-Ci||C2 

Return  (K2,  C) 


parse  C  as  C\  ||CY2 

K\  <—  KEM.Decrypt(sk,C\) 

if  K\  /_L 

m  e-  SPKEM.Decrypt{K1,C2 ) 

if  m'  =_L  return  _L 
else  Return  rri  =  (pol,  K2) 


The  above  PKEM  scheme  is  secure  against  adaptive  chosen  ciphertext  attacks 
on  both  key  and  policy  indistingnishability.  In  particular,  the  following  theorems 
hold. 


Theorem  4.4.  If  KEM  arid  SPKEM  schemes  are  secure  against  adaptive  chosen 
ciphertext  attacks  on  key  indistinguishability  then  PKEM  is  secure  against  adaptive 
chosen  ciphertext  attacks  on  key  indistinguishability. 

In  particular,  for  every  PPT  adversary  A,  there  exist  PPT  adversaries  B\  and  B2, 
whose  running  times  are  essentially  the  same  as  that  of  A,  such  that  for  all  k  E  N, 
we  have, 


Adv 


pkem—key—ind—cca2 
PKEM ,  A 


(k)< 


2  ■  Adv 


kem—ind—cca2 
KEM,B 1 


(k)  +  Adv 


SPKEM— key— ind—otcca 

SPKEM, B2 


(k) 


(4.3) 
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Proof  of  Theorem  4-4-  Let  Go  be  the  original  attack  game  defined  by  Definition  4.6. 
Fix  A  and  k  and  let  C*  =  (C^,  Cf)  denote  the  target  ciphertext.  Let  S0  denote  the 
event  that  b'  =  b  in  Go  so  that 

Ad ^fjfj-ind-cca2{k)  =  \Pr[S0]  -  1/2 1  (4.4) 

We  shall  define  two  modified  attack  games  Gi  and  G2.  Each  of  the  games 
G0,  Gi,  G2  operates  on  the  same  underlying  probability  space.  That  is,  the  crypto¬ 
graphic  keys,  coin  tosses  of  A  and  hidden  bit  b  take  identical  values  across  all  games. 
However  the  games  differ  in  how  the  environment  responds  to  oracle  queries.  Let  Si 
be  the  event  that  b'  =  b  in  game  G,  for  1  <  i  <  2. 

Game  Gi  In  this  game  whenever  a  ciphertext  (Ci,C2)  is  submitted  to  the 
decryption  oracle  after  the  invocation  of  the  encryption  oracle,  if  C\  =  C*  but 
C2  /  C'/  then  the  decryption  oracle  does  not  apply  K EM.  Decrypt  to  obtain  the 
symmetric  key  but  uses  K\  produced  by  the  encryption  oracle  instead.  This  is  just 
a  conceptual  change  and 

Pr[£ 0]  =  Pr[£i]  (4.5) 

Game  G2  This  game  is  similar  to  the  game  Gi  except  that  a  completely 
random  key,  K[,  is  used  in  place  of  K\  in  both  encryption  and  decryption  oracles. 
Any  difference  in  the  success  probability  of  A  against  games  Gi  and  G2  can  be 
leveraged  to  construct  an  adversary  algorithm  that  can  break  CCA  security  of  KEM. 
More  precisely  we  have: 

Lemma  4.8.  There  exists  a  probabilistic  algorithm  Bi  whose  running  time  is  essen- 
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tially  the  same  as  that  of  A,  such  that 


\Pr[Si]  -  Pr[S2]  |  =  2  •  Adv^“f-cc“2(*;)  (4.6) 

Furthermore,  in  game  G2,  since  a  random  key,  K\,  independent  of  the  one  en¬ 
capsulated  by  C*,  is  used  to  produce  the  target  ciphertext  C2  arid  by  the  decryption 
oracle,  A  is  essentially  carrying  out  a  one-time  adaptive  chosen  ciphertext  attack 
against  the  SPKEM  scheme  described  above.  Thus  we  have 

|  Pr[S2\  -  1/2 1  =  Ad  ^SsPp7"EMyAnd~CCa\k)  (4.7) 

The  theorem  now  follows  from  equations  4.4,  4.5,  4.6  and  4.7. 

□ 

Proof  of  Lemma  f.8.  In  the  game  against  KEM,  B  is  given  public- key,  pk,  and  access 
to  a  decryption  oracle  for  KEM.  B  runs  A  with  the  public-key  pk.  Decryption  queries 
from  A  are  answered  by  B  using  the  decryption  oracle.  When  A  outputs  a  policy  pol 
and  asks  for  the  challenge  key  and  ciphertext  pair,  B  does  the  following:  1)  it  gets 
a  challenge  key  and  ciphertext  pair,  (A'*,C*}),  from  the  KEM  game  environment, 
2)  it  generates  two  random  keys,  K0  and  A^for  the  underlying  DEM,  3)  picks  a 
bit  b  A-  {0,1}  and  4)  computes  C2  =  D EM. Encrypt ((pol\\Ki),  K*)  and  gives  the 
challenge  pair  (A/  (Cl,C2))  to  A.  Here  K*  is  the  key  encapsulated  by  C{  if  <5  =  1 
or  a  random  key  if  5  =  0  where  6  /-  {0, 1}  is  chosen  by  KEM  game  environment. 
For  decryption  queries  from  A  in  the  second  phase,  if  C\  =  C{,  B  uses  K*  to  decrypt 
C2  otherwise  it  uses  the  decryption  oracle  for  KEM.  If  A  outputs  a  guess  bit  b'  =  b 
then  B  outputs  5'  =  1  else  it  outputs  S'  =  0.  Note  that  when  5  —  1  A  is  in  game 
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Gi  and  when  8  —  0  A  is  in  game  G2.  Therefore  Pr[b'  =  b\8  =  1]  =  Pr[S  1]  and 
Pr[b'  =  b\S  =  0]  =  Pr[S2}. 


Pr[6'  =  5]  -  1/2  =1/2  •  | Pr[S'  =  1| 8  =  1]  -  Pr[8'  =  1\8  =  0]| 

=  1/2  •  | Pr[b'  =  b\8  =  1]  -  Pr[b'  =  b\8  =  0]| 
l/2-| PrlS,}  -  Pr\S2]\ 

But  Pr{8'  =  8}  -  1/2  =  Adv^"d~cca2{k)  therefore 
3 Pr[Si]  -  Pr[S2]  |  =  2  - 

□ 


Theorem  4.5.  If  the  underlying  KEM  and  SPKEM  schemes  are  secure  against 
adaptive  chosen  ciphertext  attacks  on  key  and  policy  indistinguishability ,  respec¬ 
tively,  then  PKEM  is  secure  against  adaptive  chosen  ciphertext  attacks  on  policy 
indistinguishability. 

In  particular,  for  every  PPT  adversary  A,  there  exists  a  PPT  adversary  B\  and  B2, 
whose  running  time  is  essentially  the  same  as  that  of  A,  such  that  for  all  k  E  N,  we 
have, 


Adv 


pkem—pol — ind—  cca2 
PKEM ,  A 


(k)  = 


(4.8) 


\ri  kem—ind—cca2(i\  ,  a  j\  spkem—pol—ind—atcca(i\ 

AUV KEM, B  A)  ~r  AUV SPKEM, B  A) 

Proof  Sketch  of  Theorem  4.5.  This  proof  very  similar  to  that  of  Theorem  4.4  above 
except  that  in  Game  G2  the  adversary  is  launching  an  OTCCA  attack  against  policy 
indistinguishability  of  SPKEM  instead  of  key  indistingusiahbility.  □ 
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4.4  Policy  Based  Encryption  System 


Our  encryption  scheme  is  based  on  KEM-DEM  hybrid  encryption  paradigm  [27] 
and  uses  Key  Encapsulation  Mechanism  (KEM)  and  Data  Encapsulation  Mechanism 
(DEM)  as  building  blocks.  For  ease  of  exposition  we  define  and  use  a  construction 
Policy  and  Key  Encapsulation  Mechanism  (PKEM)  to  build  our  scheme  dubbed 
PKEM-DEM.  In  our  PKEM-DEM  encryption  scheme  a  file/message,  m,  is  encap¬ 
sulated  using  a  DEM  where  the  key  used  by  the  DEM  and  the  policy  associated 
with  the  message,  pol ,  are  encapsulated  using  PKEM  as  defined  below. 


PKEM-DEM.KeyGen(lfc)  : 

(sk,pk)  4  PKEM. Key Gen(lk) 
Return  ( sk,pk ) 

PKEM-DEM.Encrypt(m,poZ,pfc)  : 

(K^Cx)  <4-  PKEM.Encrypt(pol,pk) 
C2  <—  DEM.Encrypt(m ,  K2) 

Return  C 


PKEM-DEM.Decrypt-I (sk,f,Cuu)  : 

m  <—  PKEM.Decrypt(sk,Ci) 

if  rri  =_L  Return  _L 

else  parse  rn!  as  (pol,  K2) 

if  f(u,pol)  =  1  Return  K2 

else  Return  _L 

PKEM-DEM. Decrypt-II(/\2,  C2)  : 

if  K2  =_L  Return  _L 
m  <—  DEM .Decrypt(K2,  62) 

Return  m 


Here,  u  represents  a  user  and  his  associated  attributes  along  with  contextual 
attributes  and  /  represents  the  policy  evaluation  function  and  is  a  deterministic 
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polynomial-time  function  that  takes  as  input  u ,  and  a  policy,  pol ,  and  returns  a  1 
if  the  user  along  with  context  satisfies  the  policy  or  a  0  otherwise.  A  PKEM-DEM 
scheme  can  be  constructed  using  any  KEM  and  DEM  where  the  two  schemes  are 
independent2.  Figure  4.2  shows  encryption  in  PKEM-DEM  scheme  instantiated 
using  RSA-KEM  and  DEMI  defined  in  [27] 

We  use  our  PKEM-DEM  encryption  scheme  to  develop  the  PBES  policy  based 
encryption  system  whose  architecture  is  illustrated  in  Figure  4.1  and  described  in 
Section  4.1.2.  The  data  owner  in  our  system  specifies  a  policy  pol  and  uses  the 
PKEM-DEM  scheme  to  securely  associate  the  policy  with  the  data  m  and  generate 
an  encrypted  object  E(o)  that  hides  both  the  policy  and  the  data.  In  order  to  do 
so  it  chooses  a  KDC  that  it  trusts  to  enforce  the  policy  and  release  the  DEM  object 
encryption  key  to  recipient  (s)  that  satisfy  the  policy.  It  then  obtains  the  public  key 
of  the  KDC,  PK ,  via  a  trusted  source  (e.g.,  a  Certificate  Authority  —  CA)  and 
encrypts  the  object  using  the  PKEM-DEM  scheme. 

Once  a  recipient  obtains  the  encrypted  object  it  must  contact  the  KDC  rep¬ 
resented  by  the  public  key  PK  in  the  encrypted  object  in  order  to  obtain  the  DEM 
object  decryption  key.  To  do  so  it  initiates  a  protected  transaction  (e.g.,  over  TLS) 
with  the  KDC  and  submits  the  PKEM  part  of  the  encrypted  object  (i.e.,  it  excludes 
the  encrypted  object  in  the  DEM  part).  The  KDC  then  contacts  the  Attribute 
Database  that  manages  user  attributes  and  privileges  and  enviromental  attributes 

(i.e.,  context).  The  KDC  uses  these  attributes  of  the  user  and  the  environment  and 
2KEM-DEM  schemes  built  using  secure  KEM  and  secure  DEM  that  are  related  may  not  be 
secure  as  shown  in  [38] 
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the  PKEM  part  of  the  object  as  inputs  to  PKEM-DEM.Decrypt-I  to  obtain  the 
DEM  keys.  The  KDC  releases  the  object  decryption  key,  K ,  to  the  recipient  and 
the  recipient  uses  this  key  to  decrypt  the  object  using  PKEM-DEM.Decrypt-II. 

4.5  Security  Analysis 

Since  pairwise  indistinguishability  (in  Def.  4.3)  implies  message  indistinguish¬ 
ability  (in  Def.  4.1)  and  policy  indistinguishability  (in  Def.  4.2)  with  restriction 
2b,  we  prove  that  PKEM-DEM  is  pairwise  indistinguishable  in  Theorem  4.6  and 
that  it  is  policy  indistinguishable  with  restriction  2a  in  Theorem  4.7  to  show  that 
PKEM-DEM  system  is  secure  against  adaptive  chosen  ciphertext  attacks. 

In  the  proofs  for  the  following  Theorems,  decryption  oracle  for  PKEM-DEM 
executes  PKEM-DEM. Decrypt-1  and  PKEM-DEM. Decrypt-11  on  the  decryption 
query  and  returns  the  output  of  both  the  algorithms  to  the  adversary. 

Theorem  4.6.  If  DEM  is  secure  against  one-time  chosen  ciphertext  attacks  and 
PKEM  is  secure  against  chosen  ciphertext  attacks  against  both  key  and  policy  in¬ 
distinguishability  then  PKEM-DEM  is  secure  against  chosen  ciphertext  attacks  on 
pairwise  indistinguishability  as  given  in  Definition  f.3. 

In  particular  we  have 

\  i  pkem—dem—pw—ind—cca2  /  7  \  ^ 

AdvPKEM-DEM  («)  < 

(4,9) 

r  a  i  kem— ind—  cca2  /  7  \  .  q  a  j  dem—ind—otcca  /  i\ 

0  •  ^WkEM  W  '  6  ’  ^aVDEM  W 

Proof  of  Theorem  f.6.  Let  Go  be  the  original  attack  game,  i.e.,  GPpffifif^fffi^dAcca2(k), 
described  in  Definition  4.3.  Fix  A  and  k  and  let  C*  =  (CfiCfi)  denote  the  target 
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ciphertext.  Let  Sq  denote  the  event  that  b'  =  b  in  Go  so  that 


Ad =  \Pr{£0]  -  1/2|  (4.10) 

We  shall  define  two  modified  attack  games  Gi  and  G2.  Each  of  the  games 
Go,  Gi,  G2  operates  on  the  same  underlying  probability  space.  That  is,  the  crypto¬ 
graphic  keys,  coin  tosses  of  A  and  hidden  bit  b  take  identical  values  across  all  games. 
However,  the  games  differ  in  how  the  environment  responds  to  oracle  queries.  Let 
Si  be  the  event  that  b'  —  b  in  game  G;  for  1  <  i  <  2. 

Game  Gi  In  this  game  whenever  a  ciphertext  (C\ ,  C2)  is  submitted  to  the 
decryption  oracle  after  the  invocation  of  the  encryption  oracle,  if  Cj  =  C*  but 
C2  7^  C*2,  then  the  decryption  oracle  does  not  apply  PK EM. Decrypt  to  obtain  the 
symmetric  key  but  uses  K*2  produced  by  the  encryption  oracle  instead.  This  is  just 
a  conceptual  change  and 

Pr[€0 ]  =  Pr[S 1]  (4.11) 

Game  G2  This  game  is  similar  to  the  game  Gi  except  that  a  completely 
random  key,  K\ ,  is  used  in  place  of  K2  in  both  encryption  and  decryption  oracles. 
Any  difference  in  the  success  probability  of  A  against  games  Gi  and  G2  can  be 
leveraged  to  construct  an  adversary  algorithm  that  can  break  key  indistingnishability 
of  PKEM.  More  precisely  we  have: 

Lemma  4.9.  There  exists  a  probabilistic  algorithm  B\  whose  running  time  is  essen¬ 
tially  the  same  as  that  of  A,  such  that 

| Pr[S,\  -  Pr[S2\  |  =  2  ■  Ad (4-12) 
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We  observe  that  in  game  G2,  message  rrq,  is  encapsulated  with  a  DEM  using  a 
key,  Kl,  that  is  independent  of  the  one  encapsulated  by  PKEM.  Thus,  in  game  G2, 
adversary  A  is  essentially  carrying  out  one-time  adaptive  chosen  ciphertext  attack 
against  an  instance  of  DEM  or  an  adaptive  chosen  ciphertext  attack  on  the  policy 
indistinguishability  against  an  instance  of  PKEM.  Specifically,  we  have: 


Lemma  4.10.  There  exists  probabilistic  algorithms  £>2  and  £>3  whose  running  times 
(and  number  of  decryption  queries)  are  at  most  twice  that  of  A,  such  that 

|Pr[f3]  -  1/2|  < 

(4.13) 

\  1  dem-ind-cca2  ( i,\  ,  i  j  pkem-pol-ind-cea2  / 

Aa^DEM,B2  A)  "T  Aav PKEM,B3  A) 

The  theorem  now  follows  from  equations  4.10,  4.11,  4.12  and  4.13.  □ 


We  now  give  proofs  of  Lemmas  4.9  and  4.10  to  complete  the  proof  of  Theorem 
4.6. 


Proof  of  Lemma  f.9.  B\  is  an  adversary  against  key  indistinguishability  of  PKEM 
and  is  given  public-key,  pk,  and  access  to  a  decryption  oracle  for  PKEM.  £q  runs 
A  with  the  public-key  pk.  When  adversary  A  adds/corrupts  a  user,  tq,  £q  stores 
the  user  Ui  and  associated  attributes  in  a  list.  Decryption  queries,  C  =  (C\ ,  C2), 
with  privileges  of  user  tq  from  A  are  answered  by  £q  as  follows:  1)  £q  submits  C'i 
to  its  PKEM  oracle  and  gets  either  a  1  or  (po/,/l2),  2)  if  _L,  it  returns  _L  to  A,  3) 
else,  if  f(ui,pol)  =  1  returns  K2  and  DEM.Decrypt(K2,C2)  otherwise  it  returns 
_L.  When  A  outputs  a  message  and  policy  pairs  (m0,mi)  and  (poli,pol2)  and  asks 
for  the  challenge  ciphertext,  B\  does  the  following:  1)  verifies  that  none  of  the  of 
the  corrupted  users  iq  satisfies  either  pol0  or  poll ,  2)  picks  a  bit  b  {0, 1},  3)  gives 
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polb  to  the  PKEM  game  environment  and  gets  a  challenge  key  and  ciphertext  pair, 
(K*,C *),  and  4)  computes  C £  =  D EM. Encrypt (m&,  K*)  and  gives  the  challenge 
pair  (C(,  Cf)  to  A.  Here  K*  is  the  key  encapsulated  by  Cl  if  5  =  1  or  a  random 
key  if  5  =  0  where  S  M-  {0, 1}  is  chosen  by  PKEM  game  environment.  In  the  second 
phase,  when  A  adds/corrupts  a  user  tq ,  B\  verifies  that  tq  does  not  satisfy  either  pol0 
or  poll ■  To  answer  decryption  queries,  C  =  (C\,  C'2)  from  A  in  the  second  phase, 
B\  uses  the  decryption  oracle  for  PKEM  as  described  above.  Note  that  if  A  asks 
queries  where  C\  =  C{  then  B\  returns  _!_  since  none  of  the  users  compromised  by 
A  satisfy  either  poll  or  pol2.  If  A  outputs  a  guess  bit  b'  =  b  then  B\  outputs  5'  =  1 
else  it  outputs  5'  =  0.  Note  that  when  8  —  1  A  is  in  game  Gi  and  when  5  =  04 
is  in  game  G2.  Therefore  Pr[b'  =  b\8  =  1]  =  Pr[£  1]  and  Pr[b'  =  b\8  =  0]  =  Pr[£2]. 
Then, 


Pr[8'  =  5]  -  1/2  =1/2  •  | Pr[S'  =  1|5  =  1]  -  Pr[5'  =  1|5  =  0] | 

=  1/2  •  |  Pr[b'  =  b\S  =  1]  -  Pr[b'  =  b\8  =  0]  | 

1/2  ■  \Pr[£i]  -  Pr[S2}\ 

But  Pr[8'  =  8}  -  1/2  =  Ad therefore 
\Pr[£i]  -  Pr[£2}\  =  2  •  Advfe^^“*(A0 

□  □ 

Proof  of  Lemma  f.10.  Let  probability  of  success  of  A  =  (Mi,  M2)  in  game  G2  be 
1/2  +  e.  Then,  Pr[£2]  —  1/2 1  =  e.  Furthermore,  let  1/2  +  a  be  the  probability 
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that  A  outputs  1  when  the  challenge  ciphertext  it  is  given  encrypts  mo  and  poll 
and  1/2  +  (3  be  the  probability  that  A  outputs  1  when  the  challenge  ciphertext  it  is 
given  encrypts  m i  and  polo. 

Part  1.  B-2  is  OTCCA  adversary  against  (message)  indistinguishability  of 
DEM  that  runs  A.  In  particular,  £>2  generates  a  KEM  key  pair,  ( sk,pk ),  and  runs 
one  instance  of  A\  giving  it  pk  and  two  instances  of  A2  (i.e.,  A2, 0  and  A2.1  )  with 
different  challenge  ciphertexts  as  follows.  Phase  1  queries  of  A\  are  answered  similar 
to  the  way  described  in  proof  of  Lemma  4.9  above  except  that  £>2  has  access  to  sk. 
When  Ai  outputs  a  message  pair  (mo,  m/  and  policy  pair  ( polo,  poll )  and  state  infor¬ 
mation  St,  Bo  does  the  following:  1)  verifies  that  none  of  the  of  the  corrupted  users  rq 
satisfies  either  polo  or  poll,  2)  gives  the  pair  (mo,  m/  to  the  DEM  game  environment 
and  obtains  the  challenge  ciphertext  C2  =  D  E  M.  Encrypt  (m$,  Kdem)i  2)  computes 
the  following  C{0  =  PKEM.Encrypt(pol0,pk),  C\  x  =  PKE M. Encrypt (poli,pk) 
and  3)  runs  A2, 0  with  and  A2, 1  with  (C\  j ,  C'2)  as  the  challenge  cipher- 

texts.  Phase  2  queries  of  M2  are  answered  just  like  phase  1  except,  1)  when  M2 
adds/corrupts  a  user  ut,  £>2  verifies  that  U{  does  not  satisfy  either  pol0  or  pol\  and 
2)  when  decryption  query  of  M2i1/,  has  C\  =  C*x  ,r  in  which  case  £>2  returns  _L  as  the 
adversary  does  not  satisfy  either  of  the  policies.  Let  M2io’s  output  be  b0  and  M2ii’s 
output  be  61.  £>2  outputs  5'  =  b0  if  b0  =  £1  and  outputs  5'  =  be  otherwise,  where 
9  <22  {0, 1}.  Thus,  the  success  probability  of  £>2  is  Pr[5'  =  5]  is 
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=  I  •  [pr[8'  =  0|<5  =  0]  +  Pr[6'  =  1|<5  =  1]) 

=  ^  •  ^(Pr[&o  =  0  A  b\  =  0|<f  =  0]  +  Pr[6  =  0  A  bo  =  0  A  b\  =  1|5  =  0] 

+Pr[9  =  1  A  bo  =  1  A  b\  =  0|5  =  0])  +  (Pr[&o  =  1  A  b\  =  1 1 <5  =  1] 

+Pr[9  =  0  A  bo  =  1  A  b\  =  0|<5  =  1] 

+Pr[9  =  A60  =  0  A  6i  =  1|<5  =  1])) 

+  (<2  +  +  +  2  '^2  ^^2  _  +  2  '  *2  _  ^*2 


But  \Pr[8'  —  S\  —  l/2\  —  Adv^M*gf  cca2(k)  =  cdem  (say)  therefore  we  have 

e  =  2  •  6dem  +  ~ — (4-14) 


Part  2.  h>3  is  CCA  adversary  against  policy  indistinguishability  of  PKEM 
that  runs  A.  £>3  is  constructed  similarly  to  £>2  with  obvious  modifications. 

In  particular,  £>4  generates  a  KEM  keypair,  ( sk,pk ),  and  runs  one  instance  of 
A\  giving  it  pk  and  two  instances  of  M2  (he.,  A2io  and  A2.1  )  with  different  chal¬ 
lenge  ciphertexts  Decryption  queries  of  A\  are  answered  in  the  obvious  way  using  sk. 

When  Ai  ouputs  a  message  pair  (mo,  mi)  and  policy  pair  (polo,  poll)  and  state  infor¬ 
mation  St,  £>4  does  the  following:  1)  gives  the  pair  (polo,  poll)  to  the  SPKEM  game 
environment  and  obtains  the  challenge  ciphertext  C\  =  D E M .Encrypt((polo\\K') ,  Kspkem), 
2)  generates  a  random  DEM  keys  K  and  computes  the  following  C3  0  =  DEM.Encrypt(rrio,  K), 


85 


C*it ,  =  D  EM.  Encrypt  (mi,  K)  and  (K*,C*)  =  KEM.Encrypt(lk,pk )  and  3)  runs 
A-2,0  with  ( C{ ,  C*2 ,  C*0)  and  A2, 1  with  (Cj",  C 2 ,  (7^)  as  the  challenge  ciphertexts.  To 
answer  decryption  queries,  C  =  (C\ ,  C2,  C3)  from  *4  in  the  second  phase,  if  C\  =  , 

£?  uses  decryption  oracle  provided  by  SPKEM  environment  to  decrypt  C2  otherwise 
it  uses  sk.  Let  *4.2, o’s  output  be  b0  and  *42,i’s  output  be  b\.  B4  outputs  5'  =  b0 
if  bo  =  W  and  outputs  5'  =  be  otherwise,  where  9  {0, 1}.  Thus,  the  success 

probability  of  £>4  is  Pr[5'  =  <5]  is 


=  I  •  (pr[6'  =  0|<5  =  0]  +  Pr[5'  =  1|<5  =  1]) 

=  -  •  ^(Pr[6o  =  0  A  b\  =  0|de/ta  =  0] 

+Pr[9  =  0  A  60  =  0  A  b\  =  1|5  =  0]  +  Pr[9  =  1  A  60  =  1  A  b\  =  0|<5  =  0]) 

+  (Pr[6o  =  1  A  b\  =  \\delta  =  1]  +  Pr[9  =  OA&o  =  1A6i  =  0|<5  =  1] 

+Pr[9  =  1  A  60  =  0  A  bi  =  1\5  =  1])) 

=  \  '  +  e)(^  “  ^  +  \  '  +  e)(^  +  P)+ 

2  '(2_e)(2  -/3))  +  ((2+a)(2+e)+ 

1  e  (a  —  /3) 

=  2  +  2  H - 4 - 

But  | Pr[8'  =  5]  -  1/2 1  =  AdvPp^J^~md~cca2(k)  =  ePKEM  (say)  therefore  we 

have 

6  =  2-  6PKEM  + 
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(4.15) 


From  equations  4.14  and  4.15  we  have 


tPKEM  ~  tD  EM  = 


(a  P)  Therefore,  e 


CPKEM  +  cdem 


(4.16) 


Thus  we  have 

\Pr[S2\  -  1/2|  =  Ad +  Ad vgS^-“”2(fc) 

□ 

Theorem  4.7.  If  PKEM  is  secure  against  chosen  ciphertext  attacks  against  policy- 
indistinguishability  then  PKEM-DEM  is  secure  against  chosen  ciphertext  attacks  on 
policy  indistinguishability  as  given  in  Definition  f.2  with  restriction  2a. 

In  particular  we  have 

*1  pkem—dem—pol—ind—2a—cca2/i\  ^ 

AavPKEM-DEM  \K)  — 

(4.17) 

a  j  feem-md-cca2/n  ,  \  i  dem—ind—otcca  (  k\ 

^aVKEM  \K)  '  DEM  W 

Proof  of  Theorem  4.7.  Intuitively,  since  the  message  encrypted  under  the  both  the 
policies  is  the  same  any  advantage  an  adversary  has  in  distinguishing  between  the 
two  policies  encapsulated  by  the  PKEM-DEM  scheme  must  be  due  to  an  advantage 
the  adversary  has  in  distinguishing  between  two  policies  encapsulated  by  the  PKEM 
scheme.  In  other  words,  any  advantage  an  adversary  has  in  breaking  policy  indist- 
inguishability  of  PKEM-DEM  can  be  translated  into  advantage  in  breaking  policy 
indistinguishability  of  PKEM. 
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Specifically,  B  is  an  adversary  against  policy  indistinguishability  of  PKEM.  It 
runs  A  and  accurately  simulates  the  game,  L* pkem-dem  a  ?  ror  A.  o  runs 

A  with  the  public-key  pk.  When  adversary  A  adds/corrupts  a  user,  ut,  in  phase  1, 
B  stores  the  user  ut  and  associated  attributes  in  a  list.  For  decryption  queries  in 
phase  1  B  does  the  following:  1)  B  submits  C\  to  its  PKEM  oracle  and  gets  either 
a  _L  or  ( pol,K2 ),  2)  if  _L,  it  returns  _L  to  A,  3)  else  if  f(u,pol )  =  1  returns  K2  and 
DEM.Decrypt(K2,  C2)  otherwise  it  returns  _L.  On  receiving  m  and  poll  and  pol2 
from  A,  B  does  the  following:  1)  verifies  that  all  of  the  of  the  corrupted  users  u, 
satisfy  both  polo  and  poll,  2)  submits  poll  and  pol2  to  its  PKEM  oracle  and  gets  back 
(KT2,  Cl)  where  C{  encapsulates  poll,,  3)  it  computes  C2  <—  DEM.Encrypt(m,  K2) 
and  returns  challenge  ciphertext  (Cl,  Cl).  For  user  corruption  requests  in  phase  2,  B 
verifies  that  the  corrupted  user  satisfies  both  pol0  and  poll.  For  decryption  queries 
from  A  in  phase  2,  B  responds  similarly  to  phase  1  except  that  when  Ci  =  Cl, 
B  returns  K2  and  DEM.Decrypt(K2,C2 )  if  f(u,pol)  =  1  and  _L  otherwise  where 
u  is  submitted  along  with  decryption  query.  When  A  outputs  a  guess  bit  5,  B 
outputs  its  guess  bit  b'  =  5.  Clearly,  B  accurately  simulates  the  PKEM-DEM  game 
environment  for  A.  Therefore  we  have 


p  \(~Apkem—pol—ind—cca2 
PKEM, B 


=>  Adv 


pkem—pol—ind—cca2 

PKEM,B 


(k)  =  b}  =  Pr[b'  =  b}  =  Pr[S  =  b] 


*-^pkem—dem—pol—ind—2a—cca2 
^  PKEM- DEM, B 


=  Pr 

(k)  =  A-VdpKEM-DEM,B 


(k) 


pkem—dem—pol—ind—2a—cca2 


b 


Thus  any  advantage  A  has  in  breaking  policy  indistinguishability  of  PKEM-DEM 


is  translated  into  advantage  in  breaking  policy  indistingnishability  of  PKEM.  □ 


4.6  Application  Design  Issues 

We  now  discuss  some  design  challenges  that  need  to  be  addressed  when  de¬ 
veloping  applications  with  PBES  and  certain  properties  of  PBES  that  potentially 
limit  PBES’  suitability  for  certain  kinds  of  applications. 

Trust  Model  for  KDCs  An  important  issue  in  deploying  PBES  for  an  applica¬ 
tion  in  a  distributed  setting  is  identifying  a  trust  model,  i.e..  identifying  KDCs  that 
an  object  encryptor  can  trust  to  distribute  the  object  decryption  key  to  appropriate 
recipients.  A  simple  trust  model  is  for  all  users  to  trust  a  single  KDC  to  appropri¬ 
ately  distribute  decryption  keys  for  their  objects.  However,  a  more  scalable  model 
would  be  to  have  multiple  KDCs  that  users  can  trust  for  different  sets  of  users  and 
objects.  For  example,  every  domain  may  have  its  own  KDC  that  is  responsible  for 
distributing  message  decryption  keys  to  users  within  the  domain  appropriately  as 
was  proposed  for  IBE  [68].  The  choice  of  trust  model  varies  from  application  to 
application  and  we  believe  that  a  domain-based  approach  will  be  suitable  for  many 
applications.  This  trust  model  is  similar  to  that  of  other  policy-based  encryption 
schemes  that  trust  key  distribution  servers  in  recipient  domains  to  distribute  keys 
to  appropriate  users. 

KDC  Public-Key  Distribution  and  Revocation  Another  challenge  is  dis¬ 
tributing  authentic  public-keys  of  KDCs  and  timely  revocation  information  for  those 


keys.  Recently,  schemes  to  distribute  keys  via  DNS  have  been  proposed  [68,  41]  and 
such  an  approach  would  be  suitable  for  distribution  of  KDC  public  keys.  While 
these  schemes  do  not  provide  strong  security  guarantees  (e.g.,  they  are  vulnerable 
to  DNS  cache  poisoning  attacks),  wider  deployment  of  the  secure  version  of  DNS, 
namely,  DNSSEC  [3],  will  improve  the  security. 

Policy  Specification  Language  and  Enforcement  Engine  Another  issue  is 
the  identification,  deployment  and  use  of  an  appropriate  policy  specification  lan¬ 
guage  and  enforcement  engine.  The  language  should  be  sufficiently  expressive  and 
the  engine  should  be  user-friendly,  have  strong  performance  and  ideally  should  have 
formally  verified  assurances.  Furthermore,  standardization  of  tools  can  significantly 
aid  in  achieving  software  and  interface  compatibility  when  exchanging  objects  across 
domains.  While  there  are  a  range  of  potential  languages  and  tools  we  believe  that 
tools  based  on  XACML  are  a  good  candidate  for  PBES.  These  tools  have  been  used 
to  specify  flexible  policies  in  various  types  of  access  control  systems3.  In  particular, 
they  allow  us  to  specify  flexible  policies  of  the  types  described  above  including  the 
use  of  attribute  based  expressions  with  string  and  numerical  attributes  that  may  be 
combined  with  AND,  OR  and  NOT  operands  as  well  as  context  variables  (e.g.,  time 
of  day).  The  XACML  language  has  been  standardized  and  there  exist  several  im¬ 
plementations  of  engines  for  policy  verification  among  which  Sun’s  implementation 

is  quite  popular  and  Margrave  has  been  formally  verified  [31]. 

3http : //www. oasis- open. org/ committees/download.php/27298/xacmlRef s-Vl-84-1 .  htm 
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Key  escrow  Given  the  PKEM  part  of  any  encrypted  object  the  KDC  can  always 
decrypt  it  to  reveal  the  DEM  decryption  keys  for  the  object.  Therefore,  onr  system 
provides  key  escrow  service  via  the  KDC  for  the  symmetric  object  keys.  Note 
that  in  regular  mode  of  operation  the  KDC  never  sees  the  encrypted  objects,  just 
the  encrypted  object  DEM  keys.  This  kind  of  key  escrow  is  common  to  several 
encryption  systems  that  minimize  encryption  key  distribution  tasks.  For  example, 
in  IBE  [16]  or  CP-ABE  [10]  the  PKG  can  always  generate  a  private  key  for  any  given 
public  key,  however,  under  normal  mode  of  operation  the  PKG  never  sees  encrypted 
messages.  The  difference  being  that  a  PKG  provides  escrow  for  private  keys  while 
we  provide  escrow  for  symmetric  keys.  This  key  escrow  property  may  limit  the 
applicability  of  our  scheme  in  certain  applications  that  demand  strong  end-to-end 
confidentiality  assurances.  For  example,  exchange  of  sensitive  content  between  two 
parties  that  know  each  other.  In  general,  in  large  systems  where  senders  wish  to 
send  confidential  messages  to  a  set  of  (possibly  unknown)  recipients  that  satisfy  a 
given  policy  such  strong  assurances  may  not  be  needed. 

Online  nature  Since  recipients  need  to  contact  the  KDC  for  every  decryption, 
the  KDC  needs  to  be  always  online  and  have  adequate  throughput  to  support  this 
mediated  decryption.  This  property  of  being  always  online  may  limit  the  applicabil¬ 
ity  of  our  scheme  for  applications  that  have  an  offline  nature.  For  example,  exchange 
of  secure  messages  in  a  sensor  network  that  have  limited  connectivity  to  CAs/KDCs. 
However,  we  observe  that  many  distributed  applications  being  developed  and  de¬ 
ployed  today  have  a  largely  online  nature  in  that  users  usually  access  objects  over 
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the  network.  We  argue  that  in  such  an  online  world  many  of  these  applications  can 
accommodate  the  presence  of  an  online  KDC.  Furthermore,  in  applications  where 
auditing  and  accountability  is  needed,  mediated  decryption  offers  an  ideal  oppor¬ 
tunity  for  providing  such  capabilities.  In  Section  5.2.3  we  study  the  throughput  of 
a  prototype  implementation  of  a  KDC  and  demonstrate  that  adequate  throughput 
can  be  achieved  with  today’s  general  purpose  compute  systems. 

Arguments  that  support  the  need  for  online  key  generation/  distribution  servers 
have  also  been  implicitly  made  by  other  policy  encryption  systems  such  as  IBE  and 
CP-ABE  for  PKGs  to  be  available  to  generate  and  distribute  private  keys  to  users 
on  a  regular  basis  as  these  system  employ  short-lived  keys  to  support  revocation 
capabilities.  Other  systems  such  as  PEAPOD  [42]  require  recipients  to  contact  an 
online  CA  for  every  object  as  well.  In  all  these  systems  a  security  concern  that 
arises  from  their  online  nature  is  the  potential  compromise  of  the  KDC/CA/PKG 
private  keys.  To  minimize  this  possibility,  threshold  decryption  and  key  generation 
functions  can  be  deployed  over  multiple  servers  to  provide  both  increased  intrusion 
tolerance  and  availability  [6,  35,  39]. 
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Chapter  5 


Application  Integration  and  Evaluation 

In  this  chapter  we  demonstrate  the  use  of  CP-ASBE  and  PBES  schemes  pro¬ 
posed  in  this  work  by  integrating  them  with  practical  applications.  We  also  under¬ 
take  a  preliminary  performance  evaluation  of  the  proposed  schemes.  Specifically,  in 
Section  5.1  we  illustrate  the  use  of  CP-ASBE  by  employing  it  to  provide  message 
confidentiality  in  a  novel  messaging  system  that  we  proposed,  namely,  Attribute- 
Based  Messaging  (ABM).  In  Section  5.2  we  illustrate  the  use  of  PBES  by  employing 
it  to  enable  conditional  sharing  of  sensitive  sensor  data  among  the  operators  of  the 
Power  Grid. 

5.1  Attribute-Based  Messaging 

Attribute- Based  Messaging  (ABM)  enables  messages  to  be  addressed  using  at¬ 
tributes  of  recipients  rather  than  an  explicit  list  of  recipients  or  mailing  lists  with 
pre-dehned  members.  Such  attributes  can  be  derived  from  any  available  source, 
including  enterprise  databases,  and  dispatched  as  Internet  electronic  mail  (email) 
messages  or  other  types  of  messaging.  For  example,  a  message  about  a  restricted 
fellowship  opportunity  could  be  emailed  to  all  of  the  female  graduate  students  in  en¬ 
gineering  who  have  passed  their  qualifying  exams.  Such  dynamic  lists  provide  three 
primary  advantages  over  static  mailing  lists:  efficiency,  exclusiveness,  and  intension- 


93 


ality.  Efficiency  means  that  messages  are  more  likely  to  reach  only  the  recipients 
that  care  about  them.  For  example,  if  a  message  for  the  faculty  on  sabbatical  is  sent 
only  to  the  ones  with  that  attribute  rather  than  the  general  faculty  mailing  list,  then 
six  sevenths  of  the  faculty  will  be  spared  an  unwanted  message.  Exclusiveness  means 
that  a  sensitive  message  excludes  parties  that  should  not  receive  the  message.  For 
example  a  message  from  the  dean  to  the  untenured  faculty  in  a  given  department  to 
solicit  feedback  on  the  clarity  of  tenure  standards  provided  by  the  department’s  se¬ 
nior  faculty  might  have  this  feature.  Intensionality  means  that  an  address  describes 
the  recipients  rather  than  listing  them.  For  example,  a  message  to  the  attending 
and  primary-care  physicians  for  Sara  Smith  saves  the  sender  the  need  to  know  the 
names  or  addresses  of  the  recipients.  ABM  has  applications  in  enterprises  using 
the  enterprise  database  for  internal  messages.  It  provides  benefits  for  Customer 
Relationship  Management  (CRM)  and  similar  circumstances  where  a  sender  needs 
targeted  messaging  to  clients,  members,  and  so  on.  It  also  has  applications  to  alert 
messaging,  like  health  alert  networks. 

However,  to  achieve  its  full  potential,  an  ABM  design  must  resolve  significant 
security  concerns.  Access  control  and  confidentiality  are  two  such  concerns.  ABM 
messaging  becomes  more  beneficial  as  it  exploits  richer  attribute  information.  How¬ 
ever,  user  attribute  information  is  sensitive  and  allowing  anyone  and  everyone  to 
target  messages  based  on  any  or  all  user  attributes  could  increase  spam  and  violate 
the  privacy  of  recipients.  For  example,  who,  if  anyone,  should  be  able  to  target  a 
message  to  all  of  the  employees  who  earn  more  than  $150,000?  It  is  possible  to  ap¬ 
point  an  ABM  super  user  as  the  only  party  that  can  send  ABM  messages,  but  a  more 
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scalable  solution  would  regulate  the  rights  of  potential  senders  based  on  a  general 
‘address  authorization’  policy.  On  the  other  hand,  it  is  not  obvious  how  to  do  this, 
since  solutions  like  Access  Control  Lists  (ACL)  are  likely  to  be  unmanageable.  As 
for  confidentiality,  current  email  systems  offer  the  ability  to  encrypt  messages  end- 
to-end  using  public  keys.  For  sensitive  messages  this  provides  valuable  protection 
against  compromised  email  relays  or  eavesdropping  relay  administrators.  However, 
ABM  cannot  directly  use  this  solution  since  message  senders  may  not  have  an  ex¬ 
plicit  list  of  the  recipients  of  a  message  and,  even  if  the  recipients  were  known,  it  is 
probably  not  scalable  to  collect  all  of  the  necessary  certificates  to  provide  encryption 
for  each  recipient. 

We  addressed  the  first  concern  using  Attribute-Based  Access  Control  (ABAC) 
in  [12]  and  focus  on  addressing  message  confidentiality  in  this  chapter.  Specifically, 
we  address  the  message  confidentiality  challenge  by  employing  CP- ABE  to  encrypt 
messages  using  attributes.  Translating  this  to  ABM  system,  a  sender  can  encrypt  his 
message  using  attributes  so  that  only  users  that  satisfy  the  specified  attributes  can 
decrypt  the  message.  This  approach  has  two  advantages.  First,  a  message  sender  can 
encrypt  his  message  directly  (end-to-end)  to  the  recipients  without  having  to  trust 
intermediate  servers  with  the  message  contents.  Second,  the  attribute  expression 
used  to  target  the  message  can  also  be  used  to  specify  the  users  that  could  decrypt 
the  message.  We  show  how  CP-ABE  is  naturally  integrated  into  an  intra-enterprise 
ABM  architecture  and  perform  a  preliminary  evaluation  of  CP-ASBE  against  BSW 
CP-ABE  scheme  in  this  architecture. 
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5.1.1  CP-ASBE  for  ABM 


ABM  assumes  a  context  where  there  is  a  set  of  attributes  that  can  be  accessed 

and  used  for  authorization  and  messaging.  In  particular,  any  enterprise  has  attribute 

data  about  its  employees  in  its  databases.  We  will  refer  generally  to  the  parties  who 

can  send  or  receive  ABM  messages  based  on  these  attributes  as  users.  A  user  can 

have  zero  or  more  values  for  any  attribute1.  For  example,  a  university  might  have 

the  following  attribute  data  on  a  user: 

User  ID  =  user089 

Position  =  Faculty 

Designation  =  Professor 

Department  =  Computer  Science 

Department  =  Mathematics 

Course  Teaching  =  CS219 

Course  Teaching  =  CS486 

Course  Teaching  =  MATH523 
Date  of  Join  =  06/24/1988 

Annual  Salary  =  80, 000 


In  the  above  example  the  user  is  affiliated  with  two  departments  and  is  teaching 

three  courses.  So  he  has  multiple  values  for  those  attributes.  In  general,  the  attribute 

value  pairs  used  in  the  system  can  be  classified  as,  1)  boolean:  those  with  a  yes  or  no 

value,  2)  enumerated:  those  with  multiple  non-numerical  values  and  3)  numerical: 

those  with  multiple  numerical  values.  This  attribute  information  may  not  all  be 

available  in  one  centralized  database  but,  instead,  might  be  distributed  over  multiple 

databases  that  are  managed  by  different  units  of  an  enterprise.  An  ABM  system 

makes  use  of  this  information,  abstracted  as  user  attributes,  to  dynamically  create 
1We  restrict  users  from  having  multiple  numerical  values  for  the  same  attribute  during  our 
performance  evaluations  as  BSW  CP-ABE  encryption  system  cannot  handle  multiple  numerical 
values  for  a  given  attribute. 
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recipient  lists.  To  have  this  attribute  information  available  to  the  ABM  system 
ABM  envisions  the  use  of  a  data  services  layer  that  presents  a  view  of  the  attribute 
data  after  extracting  it  from  the  disparate  databases.  Some  attributes  are  verified 
or  established  by  the  enterprise,  like  immigration  status,  age  and  salary,  whereas 
others  may  be  maintained  by  users,  like  a  list  of  hobbies.  In  this  work  we  focuses 
on  the  former  attributes. 

The  CP-ASBE  (and  BSW  CP- ABE)  scheme  considers  attributes  simply  as  la¬ 
bels,  i.e.,  arbitrary  strings,  rather  than  as  attribute,  value  pairs  as  described  above. 
Furthermore,  the  underlying  mathematics  can  only  check  for  equality  of  strings  and 
hence  only  equality  of  strings  is  supported  by  default  in  encryption  policies.  How¬ 
ever,  the  three  types  of  attribute  value  pairs  used  by  ABM  system  are  supported  as 
follows.  Boolean  attributes  are  represented  using  just  the  attribute  name  since  only 
positive  Boolean  attributes  are  ever  used  as  only  monotonic  policies  are  supported. 
Enumerated  attributes  are  converted  into  multiple  unique  strings  by  concatenating 
the  attribute  name,  a  delimiter  and  one  of  the  attribute  values.  In  order  to  sup¬ 
port  numerical  attributes  and  allow  numerical  comparisons  in  policies,  CP-ASBE 
(and  BSW  CP- ABE)  uses  strings  to  represent  individual  bits  of  the  numerical  value. 
That  is,  numerical  values  are  represented  using  a  bag  of  strings,  one  for  each  bit  of 
the  value.  For  example,  a  3-bit  numerical  attribute  Level  with  value  4  is  represented 
using  the  following  strings:  LeveLl**,  Level:*0*,  and  Level:**0.  Now  a  policy  with 
a  numerical  comparison  can  be  represented  using  equalities  on  the  strings  repre¬ 
senting  bits.  For  example,  the  policy  Level  >  2  can  be  translated  as  Level:  1  **  OR 
Level:  *1*. 
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An  ABM  system  has  three  primary  types  of  policies  as  described  below. 

1.  The  delivery  policy  is  a  sender-defined  policy  that  specifies  the  set  of  users  his 
message  is  targeted  for.  This  is  the  ‘ABM  address’  associated  with  a  message. 
The  message  is  routed  only  to  users  who  have  an  attribute-set  that  satisfies 
this  policy. 

2.  The  address  authorization  policy  controls  the  ability  of  a  user  to  target  mes¬ 
sages  using  an  ABM  address.  This  is  a  system-wide  policy  and  specifies  which 
users  have  permission  to  target  messages  to  a  given  attribute  based  on  their 
own  attributes.  Conceptually,  this  policy  determines  the  set  of  users  that  have 
permission  to  send  messages  to  a  given  ABM  address  and  the  set  of  ABM  ad¬ 
dresses  to  whom  a  given  user  is  allowed  to  send  messages.  This  policy  therefore 
controls  access  to  the  system. 

3.  The  encryption  policy  is  another  sender-defined  policy  that  specifies  which 
users  will  have  the  ability  to  decrypt  an  encrypted  message.  The  encryp¬ 
tion  policy  associated  with  an  encrypted  message  defines  the  combination  of 
attributes  needed  to  decrypt  the  message.  This  would  typically  be  the  at¬ 
tributes  held  by  the  recipients  as  specified  by  the  delivery  policy,  but  there 
are  cases  where  key  management  is  improved  by  allowing  the  delivery  policy 
to  be  a  subset  of  the  encryption  policy. 

Table  5.1  describes  the  language  used  for  ABM  addresses  and  address  autho¬ 


rization  policy. 


Tabic  5.1:  Grammar  for  ABM  Addresses  and  Rules 
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In  ABM,  the  encryption  policy  is  effectively  same  as  the  ABM  address  (delivery 
policy)  that  routes  the  message  to  recipients.  However,  while  the  ABM  system 
and  thus  the  delivery  policy  use  attribute,  value  pairs,  CP-ASBE  (and  BSW  CP- 
ABE)  scheme  considers  attributes  simply  as  labels,  he.,  arbitrary  strings.  Thus 
we  implemented  a  policy  translator  that  converts  a  given  delivery  policy  into  a 
valid  encryption  policy  by  converting  all  attribute  value  pairs,  except  for  numerical 
attributes  (numerical  attributes  are  automatically  converted  by  the  CP-ASBE  and 
BSW  CP- ABE  implementations),  in  the  delivery  policy  into  unique  attribute  strings 
as  described  above. 

5.1.2  ABM  Architecture 

Figure  5.1  illustrates  the  architecture  of  our  ABM  system  and  its  associated 
security  system,  which  strongly  influences  the  overall  structure.  The  ABM  sys¬ 
tem  comprises  a  Policy  Specialization  Server  (PSS)  to  authenticate  and  help  users 
compose  policy  compliant  ABM  addresses,  a  Policy  Decision  Point  (PDP)  with  the 
address  authorization  policy,  an  attribute  database,  an  ABM  server  associated  with 
an  enterprise  Mail  Transport  Agent  (MTA)  that  resolves  ABM  addresses  to  recip- 
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Attribute  Authority  [AA]  Database 


Figure  5.1:  ABM  Architecture 

ient  lists  and  mediates  other  components,  and  an  Attribute  Authority  that  issues 
attribute  keys  to  the  users.  These  components  provide  an  infrastructure  for  three 
attribute-based  policies  for  messaging,  the  system-wide  address  authorization  policy, 
the  user-defined  delivery  policy  and  the  encryption  policy. 

The  Policy  Specialization  (PS)  Path  authenticates  the  user,  evaluates  his  at¬ 
tributes  from  the  database  with  the  policy  decision  point  (PDP),  and  retrieves  the 
address  authorization  policy  specialized  to  the  user.  This  eight  step  communica¬ 
tion  is  represented  by  solid  lines  in  Figure  5.2.  In  the  first  step,  PS1,  the  user  logs 
into  the  PSS.  The  PSS  uses  the  enterprise  authentication  infrastructure  to  authen¬ 
ticate  the  user.  Next  at  PS2,  the  PSS  sends  the  user’s  information  to  the  ABM 
server  and  requests  the  specialized  address  authorization  policy  for  the  user.  In 
steps  PS3  and  PS4  the  ABM  server  queries  and  retrieves  the  user’s  attributes  from 
the  attribute  database.  In  step  PS5  the  ABM  server  sends  the  user’s  attributes  to 
the  PDP  and  requests  for  the  specialized  policy.  The  PDP  then  evaluates  all  the 
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Figure  5.2:  Policy  Specialization  Path 

address  authorization  rules  in  the  policy  against  the  user’s  attributes  to  form  the 
specialized  address  authorization  policy.  In  this  case  it  is  a  list  of  attributes  that 
the  user  is  allowed  to  use  in  his  delivery  policies  or  ABM  addresses.  In  step  PS6  it 
returns  the  routable  attributes  (literals)  from  the  specialized  authorization  policy 
that  the  user  can  route  on.  The  ABM  server  then  returns  the  specialized  authoriza¬ 
tion  policy  to  the  pohcy  specialization  server  in  step  PS7.  In  step  PS8,  the  policy 
specialization  server  provides  an  interface  to  the  user  to  create  a  delivery  pohcy  by 
combining  the  routable  address  literals  in  the  specialized  authorization  policy  with 
ranges  and  boolean  connectives  as  permitted.  This  is  then  saved  by  the  user  as  the 
ABM  address  (delivery  policy). 

In  the  Messaging  (MS)  Path,  users  send  and  receive  ABM  messages  using  any 
standard  MUA  (dashed  lines  in  Figure  5.3).  The  ABM  address  is  translated  to 


101 


Sender 


f  Messaging  (MS)  Path: 

Address  Resolution  (AR)  Path:... 

1. 

Send  (ABM)  message  (SMTP) 

1. 

User  ID  and  Authorization 

2. 

Notify  ABM  Host 

2. 

Policy  Decision 

3. 

Receive  (ABM)  messages  (SMTP)  3. 

ABM  Address 

Vi. 

Send  resolved  messages 

4. 

Resolved  list  of  Addresses 

/ 

Database 


Figure  5.3:  Messaging  and  Address  Resolution  Path 

a  valid  encryption  policy  using  the  policy  translator  described  in  Section  5.1.1.  A 
user  composes  a  message  and  encrypts  the  body  of  the  message  using  the  encryption 
policy. 

The  delivery  policy  (or  ABM  address)  is  included  in  the  message  as  an  at¬ 
tachment.  The  message  with  encrypted  body  and  ABM  address  as  the  attachment 
is  signed  using  S/MIME  [60,  61]  for  sender  authentication.  The  user  then  sends 
the  message  to  a  pre-specified  email  address  such  as  abmOlocaldomain .  com  in  step 
MSI.  The  enterprise  MTA  is  configured  to  notify  the  ABM  server  when  it  receives 
a  message  for  the  pre-specified  address  as  shown  in  step  MS2.  After  processing  the 
message,  as  described  in  address  resolution  path  below,  the  ABM  server  invokes  the 
enterprise  MTA  in  step  MS3  to  deliver  the  message  to  a  list  of  recipients  as  specified 
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by  the  ABM  address.  Each  receiver  gets  her  message  in  her  inbox  in  step  MS4. 

In  the  Address  Resolution  (AR)  Path,  the  ABM  server  processes  messages  to 
authenticate  the  sender,  determine  whether  the  sender  is  authorized  to  target  the 
message  based  on  the  associated  delivery  policy,  and  determine  the  recipients  defined 
by  the  delivery  policy  (dotted  lines  in  Figure  5.3).  Upon  receiving  the  message,  the 
ABM  server:  1)  verifies  the  S/MIME  signature  on  the  message  to  authenticate 
the  user,  and  2)  queries  the  attribute  database  for  the  sender’s  attributes.  In  step 
AR1,  the  ABM  server  checks  with  the  PDP  that  the  sender  is  authorized  to  send 
the  message  to  the  ABM  address  included  in  the  message.  In  step  AR2,  the  PDP 
evaluates  the  delivery  policy  for  accessing  the  attributes  contained  in  the  ABM 
address  against  the  sender’s  attributes  and  responds  in  the  affirmative  only  if  the 
user  is  allowed  access  to  all  attribute  literals  in  the  ABM  address.  The  ABM  server 
then  resolves  the  ABM  address  to  a  list  of  email  addresses  by  querying  the  attribute 
database  in  steps  AR3  and  AR4. 

The  Attribute  Keying  (AK)  Path  describes  steps  of  the  AA,  which  is  similar 
to  a  certificate  authority  and  supports  keying  needs  of  users  such  as  attributes  and 
S/MIME  certificates.  After  receiving  an  encrypted  message,  if  the  user  does  not 
have  a  current  set  of  keys  to  decrypt  the  message,  she  requests  them  from  the  AA 
(dashed-dotted  lines  in  Figure  5.4).  A  user  authenticates  to  the  AA  in  step  AK1. 
The  AA  sends  the  user  information  ( e.g .  user  id)  to  the  enterprise  database  in  step 
AK2.  The  database  responds  with  the  most  current  information  about  the  user’s 
attributes  in  step  AK3.  With  the  attribute  set  the  AA  gets  from  the  database,  it 
generates  cryptographic  attribute  key  set  using  CP-ASBE  scheme  after  converting 


103 


/"Attribute  Keying  ’ 
(AK)  Path:  -  .  -  . 

1.  User  Info.  (ID) 

2.  User  Info.  (ID) 

3.  User  Attributes 

4.  User  Secret  Key 


\5.  Decrypted  Email 


Figure  5.4:  Attribute  Keying  Path 

attribute,  value  pairs  into  attribute  strings  as  described  in  Section  5.1.1.  AA  sends 
the  generated  CP-ABE  key  back  to  the  user  over  a  secure  channel  in  step  AK4.  The 
user  can  now  decrypt  her  message  using  this  key  in  step  AK5. 

5.1.3  Experimental  Evaluation  of  CP-ASBE  in  ABM 

To  evaluate  the  architectural  framework  presented  in  Section  5.1.2,  we  imple¬ 
mented  a  prototype  ABM  system  in  [12,  11].  In  this  section  we  describe  how  this 
prototype  is  used  to  evaluate  CP-ASBE.  We  first  describe  the  experimental  setup 
and  then  present  the  results  from  the  experimental  evaluation  of  CP-ASBE  and 
compare  them  with  those  obtained  when  using  BSW  CP-ABE. 

A  two-level  CP-ASBE  scheme  provides  better  functionality  over  CP-ABE 
schemes  in  terms  of,  1)  better  supporting  compound  attributes  and  2)  support¬ 
ing  multiple  numerical  value  assignments  for  a  given  attribute  in  a  single  key.  In 
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order  to  gauge  the  cost  of  this  additional  functionality  we  compared  the  encryption, 
decryption  and  key  generation  times  using  ABM  addresses  that  were  used  to  eval¬ 
uate  the  ABM  prototype  after  converting  them  into  encryption  policies.  We  now 
describe  how  the  ABM  addresses  and  user  keys  were  generated. 

Attribute  Distribution  and  Database  Population  We  populated  a  SQL  database 
with  60,000  users  and  assigned  attributes  to  them  in  the  following  manner.  The  sys¬ 
tem  had  a  total  of  100  attributes  and  about  half  of  them  are  numerical  attributes. 
The  distribution  of  attributes  in  the  user  population  affects  the  number  of  recipi¬ 
ents  a  given  ABM  address  resolves  to.  The  number  and  type  of  attributes  a  user 
has  also  affects  the  attribute-key  generation  time.  Users  were  assigned  an  attribute 
based  on  the  incidence  probability  of  that  attribute.  For  example,  if  an  attribute 
has  an  incidence  probability  of  0.1  then  10%  of  the  user  population  is  assigned  that 
attribute.  For  our  test  database,  most  of  the  attributes  (80%),  had  a  probability 
of  incidence  that  ranged  from  0.0001  to  0.01,  10%  had  a  probability  of  incidence 
that  was  between  0.5  and  0.9  and  the  remaining  10%  had  the  probability  close  to 
1.  This  distribution  allowed  a  big  range  in  the  number  of  recipients  per  message, 
and,  intuitively,  this  distribution  also  reflects  organizations  where  all  the  users  have 
some  common  attributes  and  rest  of  the  attributes  are  sparsely  distributed  in  the 
population. 

Encryption  Policy  Generation  ABM  addresses  served  as  encryption  policies 
after  appropriate  translation  by  our  tool.  The  complexity  of  an  ABM  address  affects 
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the  performance  on  the  address  resolution  path  by  affecting  both  the  number  of 
recipients  it  resolves  to  and  the  database  query  resolution  time,  ft  also  affects  the 
encryption  and  decryption  latencies  as  ABM  addresses.  We  wrote  a  probabilistic 
ABM  address  generator  using  Java,  which  created  uniformly  random  ABM  addresses 
of  varying  complexity  in  a  disjunctive  normal  form.  Each  ABM  address  consists  of 
a  number  of  terms  combined  with  the  OR  operand.  Each  term  consists  of  a  number 
of  literals  (as  defined  in  the  grammar  of  Table  5.1)  combined  with  the  and  operand. 
Specifically,  we  varied  the  number  of  terms  for  a  given  ABM  address  between  one  and 
five  (chosen  uniformly  randomly)  and  the  number  of  literals  in  each  term  between  one 
and  three  (also  chosen  uniformly  randomly).  Each  literal  was  randomly  assigned  an 
attribute  from  the  routable  list  of  attributes  of  the  message  sender.  These  addresses 
were  then  translated  into  encryption  policies.  The  resulting  policies  had  the  number 
of  leaf  nodes  ranging  from  23  to  66  (including  the  “bag  of  bits”  representation  of 
numerical  attributes) . 

User  Key  Generation  For  each  encryption  policy,  a  representative  set  of  keys 
that  satisfy  the  policy  are  generated  and  used  for  decryption.  Specifically,  1)  a 
key  is  generated  for  each  conjunctive  clause  in  the  policy  such  that  it  satisfies  the 
clause  and  2)  a  key  is  generated  for  each  combination  of  conjunctive  clauses  in  the 
policy  such  that  the  key  satisfies  all  the  clauses  in  the  combination.  The  generated 
keys  had  boolean  attributes,  ranging  from  1  to  422,  i.e.,  including  the  “bag  of  bits” 
representation  for  numbers  with  64  bits  used  to  represent  each  integer. 
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(a)  Encryption  Time  (b)  Decryption  Time 


Attributes  in  key  (including  numerical  bits) 


(c)  Key  Generation  Time 


Figure  5.5:  Encryption  and  Decryption  Times 
Results  For  encryption,  decryption  and  key  generation  when  using  BSW  CP-ABE 

we  used  the  CP-ABE  toolkit  (available  at  http :  //acsc .  csl .  sri  .  com/ cpabe/).  For 
encryption,  decryption  and  key  generation  when  using  CP-ASBE  we  used  the  CP- 
ASBE  toolkit  that  we  developed  by  extending  the  CP-ABE  toolkit  as  described  in 
Section  3.6.  Both  implementations  used  a  160-bit  elliptic  curve  group  constructed 
on  the  curve  y2  =  x3  +  x  over  a  512-bit  held.  Decryption  time  for  a  policy  is  the 
average  of  decryption  times  with  all  the  keys  generated  for  that  policy  as  described 
above.  Experiments  were  run  on  a  Linux  box  with  quad  core  3.0Ghz  Intel  Xeon 
and  2GB  of  RAM. 
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Key  generation,  encryption  and  decryption  times  are  shown  in  Figure  5.5.  As 
expected,  key  generation  time  was  found  to  be  linear  in  the  number  of  attributes 
in  the  key,  and  CP-ASBE  imposed  very  little  overhead  over  BSW  CP-ABE.  On 
an  average,  CP-ASBE  imposed  18ms  overhead  per  numerical  attribute,  i.e.,  per 
set,  in  the  key  and  no  overhead  when  there  are  no  numerical  attributes.  To  put 
this  overhead  in  perspective,  generating  a  key  with  2  numerical  attributes  (and  145 
boolean  attributes  in  total)  took  5s  seconds  when  using  BSW  CP-ABE  scheme  and 
5.035s  when  using  CP-ASBE  scheme.  Encryption  time  is  also,  as  expected,  linear  in 
the  number  of  leaves  in  the  policy  tree,  and  CP-ASBE  imposed  very  little  overhead 
when  compared  to  BSW  CP-ABE.  On  an  average,  CP-ASBE  imposed  8.3 ms  over¬ 
head  per  translating  node  in  the  policy.  Since  decryption  time  is  dependent  on  both 
the  structure  of  the  policy  tree  and  the  key  used  for  decryption,  it  varied  significantly 
even  for  a  given  policy  size.  However,  in  this  case  too  CP-ASBE  scheme  imposed 
very  little  to  no  overhead  over  BSW  CP-ABE,  6.7 ms  on  average.  Overhead  results 
are  consistent  with  our  efficiency  analysis  and  performance  numbers  in  general  are 
consistent  with  those  reported  in  [10]. 

5.2  Context-Sensitive  Data  Sharing  in  the  Power  Grid 

The  North  American  electric  power  grid  is  a  highly  interconnected  system 
hailed  as  one  of  the  greatest  engineering  feats  of  the  20th  century.  However,  increas¬ 
ing  demand  for  electricity  and  an  aging  infrastructure  are  putting  increasing  pressure 
on  the  reliability  and  safety  of  the  grid  as  witnessed  in  recent  blackouts  [73,  29].  Fur- 
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thermore,  deregulation  of  the  power  industry  has  moved  it  away  from  vertically  in¬ 
tegrated  centralized  operations  to  coordinated  decentralized  operations.  Reliability 
Coordinators  (RCs)  are  tasked  by  Federal  Energy  Regulation  Commission  (FERC) 
and  North  American  Electric  Reliability  Council  (NERC)  with  overseeing  reliable 
operation  of  the  grid  and  providing  reliability  coordination  and  oversight  over  a 
wide  area.  Balancing  Authorities  (BAs)  are  tasked  with  balancing  load,  generation 
and  scheduled  interchange  in  real-time  in  a  given  Balancing  Authority  Area  (BAA). 
BAA  is  a  geographic  area  where  a  single  entity  balances  generation  and  loads  in 
real-time  to  maintain  reliable  operation.  BAA  are  the  primary  operational  entities 
that  are  subject  to  NERC  regulatory  standards  for  reliability.  Every  generator, 
transmission  facility,  and  end-use  customer  is  in  a  BAA. 

Currently,  sensor  readings  from  substations  in  utilities2  are  sent  via  a  com¬ 
munication  network  to  the  Supervisory  Control  And  Data  Acquisition  (SCADA) 
systems  in  the  local  BA  that  controls  the  system  and  to  the  RC  that  oversees  re¬ 
liable  operation  of  the  system.  There  are  operations  taking  place  at  various  time 
granularities  to  keep  the  power  system  stable  and  reliable.  Among  the  frequent  op¬ 
erations  protection  and  control  mechanisms  at  substation  operate  at  the  granularity 
of  milliseconds,  state  estimators  and  contingency  analysis  in  BAs  and  RCs  operate 
at  the  granularity  of  minutes  and  hourly  and  day  ahead  power  markets  run  by  RCs 
operate  at  the  granularity  of  hour  and  day  respectively. 

In  order  to  improve  the  reliability  of  the  power  grid  while  meeting  the  in- 
2In  this  paper  the  term  ’utility’  is  used  to  refer  to  power  grid  entities  in  a  broad  sense  including 
generator  owners/operators,  transmission  owners/operators,  distributors  and  load  serving  entities 
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creased  power  demand,  the  industry  is  moving  towards  wide-area  measurement, 
monitoring  and  control.  The  Department  of  Energy  (DOE),  NERC  and  electric 
utility  companies  formed  the  North  American  SynchroPhasor  Initiative  (NASPI) 
(www.naspi  .  org)  with  a  vision  to  improve  the  reliability  of  the  power  grid  through 
wide  area  measurement,  monitoring  and  control.  It’s  mission  is  to  create  a  robust, 
widely  available  and  secure  synchronized  data  measurement  infrastructure  with  as¬ 
sociated  monitoring  and  analysis  tools  for  better  planning  and  reliable  operation  of 
the  power  grid.  NASPI  envisions  deployment  of  hundreds  of  thousands  of  Phasor 
Measurement  Units  (PMUs)  across  the  grid  that  pump  data  at  30  samples/second  to 
hundreds  of  applications  in  approximately  140  BAAs  across  the  country.  PMUs  are 
clock  synchronized  (through  GPS)  sensors  that  can  read  current  and  voltage  phasors 
at  a  substation  bus  on  the  transmission  power  network.  Phasor  Data  Concentrators 
(PDCs)  at  substations  or  control  centers  time  align  the  data  from  multiple  PMUs 
before  sending  them  to  applications.  PMUs  give  direct  access  to  the  state  of  the 
grid  at  any  given  instant  in  contrast  to  having  to  estimate  the  state  as  is  done 
today.  Figure  5.6  shows  a  high-level  architecture  envisioned  for  PMUs.  Applica¬ 
tions  envisioned  to  utilize  this  data  have  varying  requirements.  Open  loop  control 
applications  like  state  estimation  have  critical  time  alignment  requirements  while 
post  event  analysis  applications  like  disturbance  analysis  have  critical  accuracy  and 
message  rate  requirements.  Feedback  control  applications  like  transient  stability 
control  have  critical  latency,  availability,  accuracy,  message  rate  and  time  alignment 
requirements  [28] . 

While  utilities  are  currently  mandated  to  share  operational  data  with  their 
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Figure  5.6:  Proposed  NASPI  PMU  Architecture 
local  BA  and  RC  they  are  not  required  or  expected  to  share  data  with  other  utilities. 

This  is  because,  while  the  utilities  have  to  cooperate  with  each  other  to  operate  the 
grid  safely  and  reliably  they  are  also  business  competitors.  Furthermore,  this  data 
can  reveal  a  fine  grained  view  of  a  utilities  network  and  the  current  state  of  that 
network.  In  the  wrong  hands  the  former  can  make  the  utility  a  target  of  attacks 
and  the  latter  can  affect  the  wholesale  electricity  markets  and  as  a  consequence 
the  utility  itself  adversely.  Another  consideration  hampering  data  sharing  is  the 
concern  of  utilities  that  they  might  open  themselves  up  for  continuous  compliance 
monitoring.  However  there  is  mutual  benefit  in  sharing  PMU  data  widely  as  it  will 
help  in  operating  the  grid  safely  and  reliably  and  in  avoiding  overloading,  outages, 
brown-outs  and  blackouts  [73,  29].  Sharing  PMU  data  will  also  help  in  planning, 
post  disturbance/event  analysis  [29]  and  for  research  and  development  purposes. 
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Currently  two  pilot  deployments  each  with  about  75  PMUs  exist  in  Eastern  [30] 
and  Western  [21]  Interconnects.  There  is  need  for  a  framework  that  provides  for 
secure  and  flexible  data  sharing  before  a  wide  area  full  scale  deployment  of  PMUs 
can  be  realized  [28].  While  we  discussed  North  American  power  grid  above,  similar 
data  sharing  problem  exists  in  other  power  grids  such  as  that  of  Australia,  Europe 
and  Japan  that  are  either  in  the  process  of  deregulation  or  are  already  deregulated. 
The  use  of  PMUs  for  wide  area  monitoring  and  control  is  also  being  considered  in 
those  grids. 

5.2.1  Requirements 

Given  the  sensitive  nature  of  the  data  and  the  reluctance  of  utilities  to  share 
data,  realizing  wide  area  data  sharing  poses  many  challenges.  First,  establishing 
pair-wise  trust  between  all  the  entities  in  a  wide  area  is  a  0(n2)  problem  and  does  not 
scale.  Second,  while  the  system  is  inherently  transitive,  i.e.,  highly  interconnected 
where  a  local  disturbance  can  have  impact  over  a  wide  area,  trust  relationships  are 
not  always  transitive.  Third,  data  is  usually  shared  on  a  need  to  know  basis  and  it 
is  not  known  in  advance  who  might  be  needing  the  data,  e.g.,  for  applications  like 
post  event  analysis. 

In  studying  the  data  sharing  needs  in  the  power  grid  we  argue  that  a  natural 
approach  is  to  enable  conditional  access  to  data  whereby  utilities  make  data  avail¬ 
able  to  each  other  based  on  their  ability  to  satisfy  policies.  Any  solution  requires  a 
viable  architecture,  a  data  protection  mechanism  and  a  flexible  policy  enforcement 
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mechanism.  Specifically  a  desirable  solution  should  satisfy  the  following  require¬ 


ments: 

Data  sharing  with  multiple  recipients  Support  data  sharing  with  multiple 
recipients  all  of  whom  may  not  be  known  in  advance.  In  the  power  grid  for  example, 
when  data  is  to  be  shared  based  on  prevailing  or  past  conditions  in  the  grid,  e.g., 
post  event  analysis  applications  like  disturbance  analysis,  it  is  not  possible  for  the 
data  owner  to  know  ahead  of  time  with  whom  or  how  many  entities  the  data  might 
need  to  be  shared.  For  example,  consider  that  the  tripping  of  a  line  in  Ohio  caused 
a  disturbance  that  eventually  lead  to  the  August  2003  blackout  -  the  largest  in  the 
North  American  Power  Grid’s  history  [73,  29]. 

Flexible  policy  specification  and  enforcement  Data  owners  should  be  able 
to  specify  and  associate  flexible  policies  with  data  in  a  secure  manner  such  that  only 
entities  that  satisfy  the  policies  can  access  the  data.  These  policies  may  be  context- 
based  in  that  data  may  only  be  shared  based  on  the  current  state  of  environment. 
Furthermore,  the  context-based  policies  may  be  such  that  the  data  owner  may  or 
may  not  be  able  to  verify  the  satisfaction  of  such  policies  on  his  own.  For  example, 
voltage  disturbances  in  the  power  grid  are  only  visible  in  the  vicinity  of  the  event, 
which  may  be  outside  the  data  owner’s  range  of  observability,  but  their  effect  might 
propagate  over  a  wide  area  eventually. 

Data  exchange  on  open  and  untrusted  networks  Given  that  the  data  sharing 
is  needed  between  many  entities  dispersed  over  a  wide  geographic  area  requiring  a 
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trusted  or  even  a  closed  network  for  data  sharing  is  impractical  and  very  expensive. 


Protect  data  and  policy  secrecy  Given  the  sensitive  nature  of  the  data  and  the 
need  for  sharing  over  open  and  untrusted  networks  data  secrecy  must  be  protected. 
Furthermore,  in  open  and  untrusted  networks  the  secrecy  of  policies  associated  with 
the  data  should  also  be  protected  from  general  public  as  they  might  reveal  sensitive 
information  about  the  data  and  since  the  data  owning  organizations  would  consider 
their  policies  themselves  to  be  confidential.  In  some  cases  the  policies  need  to  be 
kept  secret  even  from  an  authorized  recipient  as  the  policies  might  reveal  who  else 
might  have  access  to  the  data  thereby  revealing  business  relationships  of  the  data 
owner  which  is  undesirable. 

Security  Any  solution  should  provide  adequate  security  for  both  the  data  and 
associated  policies.  Specifically  it  should  secure  them  against  active  and  colluding 
adversaries. 

Efficiency  and  Compatibility  Any  solution  should  be  efficient  in  key  manage¬ 
ment  including  revocation  and  should  have  low  communication  and  computation 
overheads.  Furthermore,  the  solution  should  be  compatible  with  other  infrastruc¬ 
ture  components. 

5.2.2  PBES  for  Context-Sensitive  Data  Sharing  in  the  Power  Grid 

In  this  section  we  illustrate  how  PBES  is  used  to  enable  policy  based  data 
sharing  in  the  power  grid  using  an  example  usage  scenario.  First,  we  note  that 
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Table  5.2:  Example  of  Policy  Elements 


Policy  Element 

Example 

Identity 

Email  address,  Distinguished  Name 

Group  or  Role 

Transmission  System  Operator,  Relia¬ 
bility  Engineer 

Attribute 

Certified  Dispatcher 

Context 

Location  of  voltage  disturbance,  Status 
of  a  relay,  Time  of  the  day 

policies  in  our  system  are  arbitrary  strings  that  can  be  parsed  and  enforced  by 
the  KDC.  Therefore,  they  are  very  flexible  in  nature.  Policy  elements  of  interest 
for  object  encryption  and  in  particular  for  data  sharing  in  power  grid  include:  1) 
identities  where  recipients  must  demonstrate  ownership  of  identifiers,  2)  groups  or 
roles  where  recipients  must  demonstrate  membership  to  a  group  or  role,  3)  attributes 
where  recipients  must  demonstrate  ownership  of  attributes  that  satisfy  an  attribute 
expression,  and  4)  context  where  the  KDC  must  verify  environmental  properties. 
Policies  may  combine  any  of  these  elements  and  some  example  elements  in  the  power 
grid  are  shown  in  Table  5.2. 

As  an  example,  consider  a  Utility  A  under  the  jurisdiction  of  an  RC  B.  While 
Utility  A  is  not  willing  to  share  its  data  with  all  other  utilities  in  the  area  under 
normal  circumstances,  it  might  find  that  it  is  in  its  interest  to  share  that  data  with 
some  of  them  when  they  are  experiencing  a  combination  of  events  that  might  poten¬ 
tially  lead  to  a  voltage  collapse  especially  if  no  coordinated  mitigation  actions  are 
taken.  Possible  combination  of  events  for  voltage  collapse  are  identified  by  system 
planning  static  load  flow  analysis  undertaken  by  NERC  or  the  RC  B.  Specifically, 
the  policy  of  utility  A  for  sharing  data  with  any  Utility  X  is  as  follows: 

Grant  Access  if 
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(Reliability  Engineer  in  Utility  X)  AND  (Utility  X  in  RC  B)  AND 

(Overloaded  Tie  Line  between  Utility  X  and  Utility  A)  AND  ((Below 

Critical  Reactive  Power  Reserves  in  Utility  X)  OR  (Reactive  Limiters  active  in  Utility 

X)) 


Utility  A  associates  this  policy  with  the  data  and  encrypts  it  using  the  PKEM- 
DEM  scheme  entrusting  access  control  enforcement  to  (local)  RC  B,  i.e.,  RC  acts 
as  the  KDC.  It  then  posts  this  data  on  its  public  data  repository  (which  may  use 
coarse-grained  access  control,  for  example,  to  limit  write  operations).  If  and  when 
the  Transmission  System  Operator  in  utility  C  in  the  neighboring  BAA  notices  an 
overload  on  the  tie  line  connecting  utility  C  with  A  and  the  Generation  System 
Operator  notices  low  reactive  power  reserves  or  reactive  limiters  turning  on  they 
initiate  mitigation  procedures  along  with  the  Reliability  Engineer.  Reliability  En¬ 
gineer  obtains  the  relevant  encrypted  data  from  utility  A’s  repository  based  on  the 
meta  data  associated  with  encrypted  objects.  Example  of  useful  meta  data  are  the 
start  time  and  end  time  of  data  samples  contained  in  the  encrypted  object  and 
coarse  grained  PMU  location  information.  Reliability  Engineer  then  submits  the 
encrypted  data  key  to  the  RC  for  decryption.  RC  upon  verifying  that  the  asso¬ 
ciated  policy  is  satisfied  returns  the  data  decryption  key.  Note  that  RC  having  a 
wider  view  of  the  grid  than  Utility  A  is  able  to  verify  the  occurrence  of  specified 
conditions  in  Utility  C.  Reliability  Engineer  may  repeat  this  action  with  all  utilities 
with  which  their  organization  shares  a  tie  line  that  is  overloaded.  He  may  or  may  not 
be  successful  in  obtaining  data  based  on  the  current  policies  of  individual  utilities. 
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Reliability  Engineer  then  feeds  the  data  obtained  into  his  contingency  planning  tool 
and  coordinates  the  mitigation  plan  with  data  sharing  utilities  based  on  the  results. 

Utility  A  might  also  have  additional  time  constraints  in  its  policy  limiting  the 
data  shared  to  a  time  window  starting  30  minutes  before  the  event  (be.,  tie  line 
overload)  and  ending  30  minutes  after  the  conditions  are  mitigated.  We  omitted 
this  detail  in  the  policy  example  above  for  brevity.  Furthermore,  Utility  A  might  be 
sharing  the  data  from  its  sensors  with  different  entities  under  different  conditions. 
So  in  practice  the  policy  associated  with  the  data  will  be  a  complex  policy  consisting 
of  many  sub  polices  similar  to  the  one  in  the  example  above.  So  it  is  necessary  to 
preserve  policy  secrecy  from  legitimate  recipients  (apart  from  general  public)  to 
prevent  a  recipient  satisfying  one  sub  policy  to  obtain  the  data  from  knowing  other 
sub  policies.  While  PBES  provides  policy  secrecy  from  general  public  and  from 
legitimate  recipients  it  is  possible  to  gain  some  information  about  the  policy  by 
gaming  the  system  and  from  side  channels  such  as  traffic  patterns.  Some  of  this 
information  leakage  to  outsiders  can  be  mitigated  by  using  secure  TLS  channels  to 
upload  and  download  data  from  the  data  repositories  but  a  full  analysis  of  policy 
information  leakage  is  out  of  the  scope  of  this  paper. 

Choosing  RCs  to  act  as  KDCs  to  enforce  access  control  on  data  owned  by 
utilities  under  their  jurisdiction  has  the  following  two  advantages.  First,  the  trust 
relationships  of  the  RC  with  all  the  utilities  under  its  jurisdiction  are  leveraged  to 
enable  data  sharing  between  utilities  without  the  need  to  establish  pairwise  trust. 
Currently  RCs  already  administer  Certificate  Authorities  (CAs)  that  issue  certifi¬ 
cates  to  users  in  the  utilities  based  on  the  federated  user  identity  databases  at  the 
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utilities  that  it  has  access  to.  Second,  an  RC  is  ideally  suited  to  enforce  certain 
context  based  policies  that  condition  upon  prevailing  conditions  in  the  grid,  as  in 
the  example  above,  as  it  has  a  much  wider  view  of  the  grid  than  any  single  utility. 
The  environment /context  attributes  extracted  from  the  current  state  of  the  power 
grid  by  the  RC  along  with  the  federated  identity  and  attribute  databases  that  the 
RC  has  access  to  constitute  the  Attribute  Database  shown  in  Figure  4.1.  In  terms 
of  key  management,  in  our  system  data  owners  only  need  to  obtain  the  public  keys 
of  KDCs  in  order  to  encrypt  objects  intended  for  any  recipient  that  trusts  those 
KDCs.  In  the  power  grid  knowing  the  public  keys  of  the  dozen  or  so  RCs  suffices 
to  reach  all  users  registered  in  those  RC  domains.  For  data  recipients  we  do  not 
add  any  additional  key  management  burden  but  we  require  recipients  to  contact  the 
KDC  for  every  decryption,  which  also  provides  support  for  immediate  revocation 
because  the  KDC  verifies  policies  for  every  object  it  decrypts.  In  systems  where 
objects  can  potentially  reside  in  repositories  for  a  long  time,  immediate  revocation 
provides  effective  policy  compliance  at  the  time  of  access. 

While  the  RC  is  able  to  enforce  the  access  policy  it  is  unlikely  to  have  the 
resources  to  manage  the  data  itself.  This  is  because  RCs  may  oversee  many  BAAs, 
e.g.,  Midwest  Independent  System  Operator  (MISO)  manages  37  BAAs,  and  they 
might  have  to  manage  large  amounts  of  data  (tens  of  thousands  of  objects  adding 
up  to  hundreds  of  petabytes)  and  enforce  different  access  policies  on  data  from 
different  control  areas  and  utilities.  A  more  feasible  solution  is  the  utilization  of 
data  warehousing  solutions  whereby  encrypted  data  with  an  associated  (encrypted) 
access  policy  is  posted  on  a  semi-trusted  storage  facility.  The  facility  may  be  trusted 
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to  enforce  coarse-grained  access  control  such  as  limiting  write  operations  to  trusted 


utilities  and  ensure  availability  but  should  not  be  trusted  for  access  to  content; 
otherwise,  it  will  become  an  attack  target  for  access  to  all  data  [54] .  So  either  utilities 
themselves  might  host  repositories  for  data  they  are  willing  to  share  or  utilize  an 
external  data  warehousing  facility  to  provide  semi-trusted  storage.  Table  5.3  shows 
which  power  grid  entities  play  the  roles  of  the  components  in  the  PBES  architecture 
presented  in  Figure  4.1. 


Table  5.3:  PBES  Entities  vs.  Power  Grid  Entities 


PBES  Entities 

Power  Grid  Entities 

Data  Owner/Sender 

Utilities 

Data  Repository 

Hosted  by  BAs/Utilities  or  Data  Ware¬ 
housing  Providers 

KDC 

RC 

Receiver 

Utilities,  BAs 

Attribute  Database 

Environmental  Attributes  based 

on  Power  Grid  State  observed  at 
the  RC  along  with  Federated  Iden¬ 
tity/Attribute  Databases  at  utilities 

5.2.3  Prototype  Implementation  and  Performance 

We  have  implemented  the  PBES  system  and  the  PKEM-DEM  construction 
and  measured  its  performance.  The  implementation  is  aimed  at  releasing  an  easy-to- 
use  toolkit  in  the  near  future  that  allows  for  integration  in  distributed  applications. 
The  implementation  is  built  using  the  Java  Bouncycastle  Library  and  its  S/MIME 
and  CMS  Processors.  These  libraries  and  processors  were  chosen  to  allow  for  plat¬ 
form  independence,  flexible  licensing  of  the  toolkit  and  a  simplified  process  for  its 
standardization.  Bouncycastle  has  an  open  source  license,  CMS  is  a  well  accepted 
standard  for  message  encapsulation  and  S/MIME  is  a  well  accepted  standard  for 
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public  key  encryption  for  multi-part  messages  (typically  used  in  e-mail  systems). 

The  PBES  implementation  provides  interfaces  for  the  following  components: 
1)  object  encryption,  2)  policy  decryption  and  verification  and  3)  object  decryp¬ 
tion.  KDC  private/public  keys  are  assumed  to  be  pre-created  (e.g.,  using  RSA  key 
generation  tools)  and  installed.  Using  the  provided  KDC  public  key,  the  object  en¬ 
cryption  component  expects  as  input  two  hies  —  one  providing  the  message  and  one 
providing  the  policy.  It  then  encrypts  these  hies  using  the  PKEM-DEM  encryption 
scheme.  While  the  object  encryption  interface  treats  both  hies  as  arbitrary  strings, 
we  use  XACML  as  the  policy  language  in  our  system.  To  allow  for  the  encryption 
and  transmission  of  the  XACML  policy  within  the  S/MIME  processors,  we  use  the 
OtherRecipientlnfo  type  and  value  helds  in  S/MIME  to  specify  the  policy.  The 
policy  decryption  and  verification  interface  expects  as  input  an  S/MIME  encrypted 
object  with  the  PKEM  format,  the  KDC  private  key,  and  an  authenticated  user 
identity.  For  authentication  we  require  users  to  initiate  a  TLS  channel  and  provide 
a  username/password,  which  are  checked  against  a  salted  password  database.  This 
component  then  contacts  the  Attribute  Database,  which  in  our  case  is  a  SQL  server, 
using  a  SQL  query  with  the  authenticated  identity.  After  receiving  the  attributes 
it  uses  the  XACML  engine  (in  our  case  Sun’s  Java  implementation3)  to  verify  the 
decrypted  policy.  If  the  policy  is  satisfied  it  releases  the  DEM  keys  over  the  secure 
channel.  Finally,  the  object  decryption  component  expects  as  input  an  encrypted 
hie  and  a  DEM  key  using  which  it  applies  the  DEM  decryption  and  outputs  a  hie 
with  the  decrypted  message. 

3http : / / sunxacml . sourcef orge . net/ 
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Performance  We  instantiate  our  PKEM-DEM  scheme  using  an  RSA-based  CCA 
secure  KEM,  RSA-KEM  [67],  and  an  OTCCA  secure  DEM,  DEMI  [67,  27]  (es¬ 
sentially  symmetric  encryption  with  a  message  authentication  code)  as  shown  in 
Figure  4.2.  We  use  a  sample  XACML  policy  with  rules  that  involve  the  combina¬ 
tion  of  10  different  attributes  each.  We  use  boolean,  string  and  numerical  attributes 
as  well  as  a  range  of  operands  including  AND,  OR  and  NOT.  Note  that  we  do  not 
limit  the  number  of  attributes  used  in  the  system  but  just  those  used  in  each  policy 
rule  for  this  evaluation.  Such  policies  intuitively  match  the  complexity  of  policies 
that  users  can  typically  conceive  of  to  protect  data.  Since  PKEM-DEM  is  essen¬ 
tially  a  very  efficient  encryption/decryption  scheme  the  only  potential  performance 
bottleneck  for  an  application  is  the  policy  decryption  and  verification  component. 
To  evaluate  the  performance  we  measure  the  throughput  of  this  component,  which 
involves  the  following  tasks:  perform  a  RSA  and  an  AES  decryption,  verify  the 
MAC,  setup  and  message  exchange  over  secure  TLS  channel,  fetch  attributes  from 
the  Attribute  Database  and  verify  the  policy.  We  use  a  1024  bit  RSA,  128  bit  and 
256  bit  SHA-1,  128  bit  AES,  a  SQL  Attribute  Database  server  located  in  the  same 
subnet  over  a  gigabit  link  and  the  Sun  XACML  engine  placed  on  the  same  server 
as  the  KDC.  The  KDC  server  is  a  workstation  with  a  32-bit,  2.4  Ghz  Pentium  4 
processor  while  the  database  is  a  Windows  2003  Server  with  dual  Intel  Xeon  3.2GHz 
processors.  Averaged  over  10,  000  runs  the  latency  for  the  various  tasks  is  as  follows: 
20.2ms  for  the  RSA  and  AES  decryption,  negligible  for  the  MAC,  44.7ms  for  the 
TLS  channel,  40ms  to  fetch  attributes  and  12.8ms  to  verify  the  policy  for  a  total  of 
117.7ms.  That  is,  we  can  support  510  requests/min. 
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Performance  Comparison  PEAPOD  requires  mediated  access  similar  to  PBES 
and  while  they  do  not  implement  their  system,  their  calculations  indicate  a  similar 
performance  of  hundreds  of  requests  per  minute  for  the  mediation  server.  Both 
PBES  and  PEAPOD  require  mediated  access  while  CP-ABE  does  not,  therefore, 
it  is  hard  to  compare  the  performance  of  these  systems.  However,  we  would  like 
to  note  that  in  practice  CP-ABE  also  needs  to  be  online  for  the  simple  reason 
that  in  any  system  with  a  large  number  of  users  the  attribute  private  keys  for 
individual  users  will  expire  with  a  distribution  that  pretty  much  requires  the  PKD 
to  be  online  at  all  times  to  generate  and  distribute  new  private  keys  to  the  users. 
Furthermore,  performance  requirements  for  key  generation  are  not  trivial.  Using 
the  cp-abe  toolkit  [10]  the  average  cost  for  generating  10  attribute  private  keys  is 
2.64  seconds  where  3  attributes  are  numerical  and  7  are  boolean.  In  a  system  where 
a  single  PKG  supports  50,000  users  (essentially  a  medium  size  organization)  with 
each  user  having  10  attributes  all  with  a  lifetime  of  one  week  (note  that  in  the 
absence  of  revocation  all  CP-ABE  private  keys  need  to  be  short  lived)  it  will  take  a 
PKG  36  hours  to  complete  one  round  of  key  generation. 

Application  Analysis  For  the  power  grid  data  sharing  application  we  envision 
one  or  more  KDCs  (for  fault  tolerance  and/or  load  balancing)  being  maintained  at 
each  of  the  dozen  or  so  RCs.  These  KDCs  will  serve  hundreds  of  utilities  across  the 
grid  with  each  RC  focusing  more  on  the  tens  of  utilities  in  their  jurisdiction.  Based 
on  an  informal  analysis  of  the  data  sharing  needs  in  the  grid  we  argue  that  each  KDC 
being  able  to  support  510  requests/min  is  sufficient  to  satisfy  the  requirements.  Also, 
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the  policy  examples  discussed  above  match  the  kind  of  policy  complexity  studied 
in  the  performance  analysis  above.  However,  a  formal  analysis  of  data  sharing 
transaction  patterns  as  well  as  a  more  comprehensive  performance  analysis  taking 
into  account  networking  and  storage  components  will  be  the  topic  of  future  work. 
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Chapter  6 


Conclusion 

In  this  dissertation,  we  addressed  the  problem  of  secure,  policy-based  multi¬ 
recipient  data  sharing  and  presented  two  novel  policy-based  data  sharing  schemes. 
The  first  scheme  we  presented,  namely,  Ciphertext-Policy  Attribute-Set  Based  En¬ 
cryption  (CP-ASBE)  enables  policy-based  data  sharing  with  multiple  recipients 
without  the  need  for  trusted  mediating  servers  to  enforce  the  policy  and  thus  min¬ 
imizes  trust  liability.  We  showed  that  CP-ASBE  is  the  Erst  Ciphertext  Policy- 
Attribute-Based  Encryption  (CP-ABE)  scheme  to  provide  the  ability  to  organize 
attributes  in  user  keys,  after  demonstrating  the  need  for  such  ability  in  CP-ABE 
schemes  in  order  for  them  to  be  practical  and  efficient.  We  also  showed  that  its  abil¬ 
ity  to  organize  attributes  in  user  keys  enables  CP-ASBE  to  support,  (1)  naturally 
occurring  compound  attributes,  (2)  multiple  numerical  assignments  for  a  given  at¬ 
tribute  in  a  single  key  and  (3)  efficient  key  management,  all  of  which  are  properties 
needed  in  practical  scenarios  but  are  not  provided  by  existing  CP-ABE  schemes.  We 
showed  that  it  achieves  this  versatility  with  very  little  overhead  through  efficiency 
analysis  and  performance  evaluation  of  a  prototype  implementation  integrated  into 
a  novel  application  we  proposed,  called,  Attribute-Based  Messaging  (ABM). 

The  second  scheme  we  presented,  namely,  Policy  Based  Encryption  System 
(PBES),  supports  context-based  policies  and  provides  policy  privacy.  We  showed 
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that  while  PBES  incurs  some  trust  liability  by  leveraging  a  trusted  mediator,  it 
achieves  good  properties  of  both  mediated  and  unmediated  solutions.  We  showed 
that  PBES  is  a  suitable  candidate  to  enable  context-based  conditional  sharing  of  sen¬ 
sitive  sensor  data  among  the  operators  of  the  Power  Grid  which  improves  efficiency 
and  reliability  of  the  Power  Grid.  We  prototyped  the  system  and  demonstrated  its 
performance  to  be  reasonable. 

While  our  proposed  schemes  achieve  unique  set  of  properties  they  do  not 
achieve  all  the  desirable  properties  of  a  scheme  addressing  secure  policy-based,  multi¬ 
recipient  data  sharing.  Several  open  problems  remain  to  be  solved  in  this  area. 
Supporting  context-based  policies  without  relying  on  trusted  mediating  servers  is 
an  important  one.  A  related  open  problem  is  the  lack  of  revocation  in  CP-ABE 
schemes  and  ABE  schemes  in  general  which  is  a  significant  hindrance  to  their  adop¬ 
tion  and  deployment.  While  our  CP-ASBE  scheme  and  the  key  update  scheme  of 
[14]  alleviate  this  problem  to  a  certain  extent  more  work  remains  to  be  done  in  this 
area.  While  we  support  flexible  policies,  and  flexible  attribute  keys  in  our  CP-ASBE 
scheme  we  do  not  provide  policy  privacy  nor  do  we  support  multiple  attribute  au¬ 
thorities.  The  ABE  scheme  of  [63]  was  extended  to  multiple  authorities  in  [23,  50]. 
However,  like  [63]  they  can  only  support  a  single  threshold  gate  for  policies.  The 
CP-ABE  scheme  of  [10]  was  extended  to  multiple  authorities  in  [53]  but  was  limited 
to  supporting  disjunctive  normal  forms  (DNF).  Extending  our  work  or  proposing 
new  schemes  that  can  achieve  policy  privacy  and  support  multiple  authorities  while 
retaining  policy  and  attribute  flexibility  is  an  interesting  open  problem.  CP-ASBE 
is  shown  to  be  secure  in  Generic  Group  Model.  Designing  schemes  secure  in  stan- 
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dard  model  that  achieve  the  flexibility  of  CP-ASBE  is  another  direction  of  future 
work. 

We  envision  two  directions  of  future  work  related  to  PBES.  First,  the  ef¬ 
ficiency  of  PBES  can  be  improved  by  using  other  encryption  schemes  such  as  the 
Tag-KEM/DEM  framework  [1],  Second,  the  practicality  of  PBES  can  be  further  ex¬ 
plored  by  deeper  integration  with  the  power  grid  and  by  studying  other  real-world 
applications  such  as  distributed  file  sharing. 
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